Executive Summary

Poland's National Centre for Nuclear Research (NCBJ), a major scientific institute and home to the country's only nuclear research reactor, successfully thwarted a cyberattack on its IT systems. The institute's security defenses detected and blocked the intrusion attempt before any systems were compromised or data was breached. The MARIA research reactor's operations were unaffected. Polish officials have noted that initial forensic evidence points to Iran, but they are treating this lead with caution, openly suggesting the possibility of a false flag operation intended to mask the true perpetrator. This consideration is heightened by Poland's geopolitical position and a history of being targeted by Russian state-sponsored actors.

Threat Overview

On or before March 16, 2026, an unknown threat actor launched a cyberattack against the internal IT infrastructure of the NCBJ in Świerk, Poland. The attack was detected and neutralized by the institute's internal security team. According to the NCBJ, security protocols functioned as designed, and no operational or research processes were disrupted. The target is highly sensitive, as the NCBJ operates the MARIA nuclear research reactor, which is used for scientific purposes and the production of medical isotopes. The incident is now under investigation in collaboration with national cybersecurity authorities to determine the origin and intent of the attack.

Technical Analysis

Specific technical details about the attack vector and the tools used have not been publicly disclosed. However, Poland's Minister for Digital Affairs, Krzysztof Gawkowski, mentioned that the "first identifications of the entry vectors... are related to Iran." This suggests that initial forensic analysis of network logs, malware, or infrastructure revealed indicators associated with known Iranian threat groups.

However, the immediate and public warning about a potential false flag operation is significant. This indicates that the attackers may have deliberately used tools, infrastructure, or TTPs associated with Iranian actors to mislead investigators. Given that Poland has been a primary target for Russian-linked groups like APT44 (Sandworm), it is plausible that such an actor would attempt to misdirect attribution. Attacks on critical infrastructure often involve common TTPs such as:

• Initial Access: T1566 - Phishing or exploiting public-facing applications.
• Execution: Use of T1059.003 - Windows Command Shell for command execution.
• Discovery: Probing the internal network to identify high-value targets like systems related to the MARIA reactor.

Impact Assessment

Due to the successful defense, there was no direct operational, safety, or data-related impact. The MARIA reactor continued to operate safely at full power. The primary impact is geopolitical and strategic. The attempted attack on a nuclear research facility, regardless of its success, represents a significant escalation and highlights the willingness of threat actors to target highly sensitive critical infrastructure. The public discussion of a false flag operation also serves as a strategic communication, signaling to adversaries that Poland is aware of such deceptive tactics. For the NCBJ, the incident necessitates a resource-intensive investigation and likely a comprehensive review and hardening of its security posture.

Detection & Response

The NCBJ's internal security systems and personnel were key to the successful outcome. The early detection and rapid response prevented the incident from escalating. Key elements of their response likely included:

• Detection: Automated alerts from security monitoring tools (e.g., NIDS, SIEM) flagged the anomalous activity.
• Analysis: Security analysts quickly triaged the alerts to confirm a malicious intrusion attempt.
• Containment: The security team blocked the attack vectors, such as by blacklisting source IPs or isolating targeted systems.
• Collaboration: The NCBJ promptly engaged with national cybersecurity authorities for deeper analysis and intelligence sharing.

This incident serves as a case study for the importance of a mature detection and response capability within critical infrastructure organizations.

Mitigation

Protecting critical infrastructure like a nuclear research facility requires a defense-in-depth strategy.

Strategic Recommendations

• Network Segmentation (D3-NI: Network Isolation): Enforce strict network segmentation between the IT network and the Operational Technology (OT) network that controls the reactor. There should be no direct path from the internet or the corporate IT environment to critical control systems.
• Threat Intelligence Integration: Actively consume and integrate threat intelligence feeds related to actors known to target critical infrastructure and ICS environments (e.g., APT44, Iranian state actors) into security controls.
• Assume Breach Mentality: Operate under the assumption that the perimeter will be breached. Focus on internal segmentation, monitoring for lateral movement, and implementing deception technologies to detect and slow down intruders.
• Regular Drills and Exercises: Conduct regular cybersecurity drills, including tabletop exercises and red team assessments, that simulate attacks on critical systems to test and refine response plans.
• Multi-Factor Authentication (MFA): Enforce MFA for all remote access and for access to sensitive internal systems to protect against credential compromise.