Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: poland (2 articles)Clear

Belarus-aligned FrostyNeighbor (Ghostwriter) running a new geofenced PDF phishing campaign against Ukrainian government - Ukrainian IPs get malware, everyone else gets a clean PDF

ESET researchers documented a new wave of activity from FrostyNeighbor (a.k.a. Ghostwriter, UNC1151, UAC-0057), the Belarus-aligned group that has been targeting Ukraine, Poland, and Lithuania since 2016. Since March 2026, the group has been sending spear-phishing PDFs impersonating Ukrainian telecom operator Ukrtelecom. The lure server checks the visitor's IP: Ukrainian addresses get a malicious RAR archive that drops a JavaScript version of PicassoLoader, which in turn pulls down a Cobalt Strike Beacon, while everyone else just sees a clean decoy PDF. Operators appear to manually approve which fingerprinted victims actually get the implant.

Check
Hunt email gateways and proxies for spear-phishing PDFs impersonating Ukrtelecom, search endpoint telemetry for JavaScript children of wscript.exe or cscript.exe running PicassoLoader behavior, and review outbound C2 callbacks from defense-sector users.
Affected
Ukrainian government, military, and defense organizations. Polish and Lithuanian industrial manufacturing, healthcare and pharma, logistics, and government bodies. Risk is highest for any organization with Eastern European operations.
Fix
Block known FrostyNeighbor domains and IPs from ESET's report at the network edge, deploy detections for JavaScript-stage PicassoLoader and Cobalt Strike, restrict execution of downloaded scripts via AppLocker, and brief Eastern European staff on the Ukrtelecom lure.

Polish intelligence says hackers attacked control systems at Polish water treatment plants

Polish intelligence service ABW announced Wednesday that hackers attacked the industrial control systems at multiple Polish water treatment plants. The Record reports the targeting profile is consistent with state-aligned activity - patient reconnaissance, careful access, no data destruction. Polish authorities have not formally attributed the attack but the timing (alongside Russia-Ukraine conflict and Russia's interest in Polish infrastructure as a NATO frontline state) is unmistakable. Similar incidents have been reported in Germany, Austria, and the Netherlands over the past 12 months. No service disruption was reported, but the access establishes pre-positioning.

Check
If you run water, electric, gas, or transport infrastructure, audit your industrial control system (ICS) and SCADA networks for unfamiliar VPN connections, new remote access tool installations, or anomalous outbound traffic since January.
Affected
Water utilities, power grid operators, and other critical infrastructure operators in NATO frontline states (Poland, Baltic states, Romania, Finland) and adjacent countries. Acute risk for utilities running internet-reachable HMI or engineering workstations. Smaller municipal water utilities without dedicated OT security staff are most exposed because they cannot detect patient state-actor reconnaissance.
Fix
Air-gap or one-way-data-diode-isolate ICS networks from corporate IT where possible. Inventory and remove any unauthorized remote-access tools (TeamViewer, AnyDesk, ScreenConnect) on engineering workstations. Apply CISA's water utility cyber guidance and Poland's CERT.PL recommendations. Conduct a tabletop exercise focused on prolonged ICS reconnaissance scenarios.