Poland's Nuclear Research Centre Repels Cyberattack: Iran Suspected, False Flag Not Ruled Out

Poland's National Centre for Nuclear Research blocked an attempted intrusion into its IT infrastructure in mid-March 2026. No systems were compromised and the MARIA reactor kept running without interruption. What investigators found when they traced the attack back to its origin is where the story gets complicated.

On March 12, 2026, Poland's National Centre for Nuclear Research (NCBJ) published a statement confirming that hackers had attempted to penetrate its IT infrastructure. The institute, located in Otwock-Swierk near Warsaw, operates Poland's only functioning nuclear research reactor and conducts internationally significant work in nuclear physics, radiopharmaceuticals, and reactor technology. It is, by any reasonable measure, exactly the kind of institution that nation-state threat actors look for: technically sensitive, symbolically valuable, and connected to critical national infrastructure. The attack was stopped. But the investigation into who launched it has opened a set of questions that Polish authorities are still working through.

What Happened at NCBJ

The NCBJ's own statement, published on its official website, described what happened in direct terms. "Thanks to the swift and effective action of security systems and procedures in place for such incidents, as well as the rapid response of our teams, the attack was prevented and the integrity of the systems remained intact," the institute stated. The announcement confirmed that all safety systems responded as designed, the intrusion attempt was blocked, and operations continued without disruption.

"No production, operational or research processes were disrupted, and the MARIA reactor is operating safely and without disruption, at full power." — Prof. Jakub Kupecki, Director of the National Centre for Nuclear Research, official NCBJ statement, March 2026

Prof. Kupecki's statement was specific on a point that matters for public confidence: the MARIA reactor, a high-flux research reactor used for isotope production, materials testing, and nuclear physics experiments, was never at risk. The NCBJ is one of the largest scientific institutes in Central Europe and serves both domestic Polish science programs and international collaborations. Any successful compromise of its systems would have carried significant geopolitical and scientific consequences beyond the immediate operational disruption.

The institute confirmed that it notified the relevant Polish state institutions and that coordination with national authorities was underway. Internal security teams were placed on heightened alert. "The situation continues to be monitored by the relevant services and security teams," the NCBJ stated in its public release. The institute did not disclose the technical nature of the attack — whether it was an attempted exploitation of a software vulnerability, a credential-based intrusion, or a phishing-initiated chain. That information remains under active investigation.

Following detection, NCBJ worked directly with NASK-PIB, Poland's national research and academic network institute, and the Ministry of Digital Affairs to analyze the incident and strengthen infrastructure protections. SC Media confirmed the institute's collaboration with those government bodies as part of post-incident response. No group has claimed responsibility for the attack.

Who Is Behind It? The Iran Attribution Problem

Attribution in cyberattacks is difficult under the best circumstances. In this case, Polish investigators identified entry vectors that pointed toward Iran, but they are treating that evidence with deliberate caution. Krzysztof Gawkowski, Poland's Minister for Digital Affairs, addressed the findings publicly in an interview with private broadcaster TVN24+.

"The first identifications of the entry vectors, i.e. those places from which the center was attacked, are related to Iran. When there is final information and the services will check it, we will verify it, but there are many indications that it took place on the territory of Iran." — Krzysztof Gawkowski, Poland's Minister for Digital Affairs, TVN24+, March 12, 2026

Gawkowski added a significant qualifier: those early indicators might have been deliberately planted. The possibility of a false flag operation — where one actor uses the known tools, infrastructure, or signatures of another to obscure their identity — is not a remote theoretical concern. It is a documented tradecraft technique used by sophisticated threat actors, and Polish officials explicitly acknowledged it as a live possibility in this case.

The geopolitical framing matters here. Poland is a NATO member but has taken deliberate steps to remain outside the direct Iran conflict. Defense Minister Wladyslaw Kosiniak-Kamysz stated explicitly earlier in March 2026 that Poland is not participating in the conflict in the Middle East. That neutrality makes Poland an unusual target for Iranian state-sponsored activity if direct retaliation or political pressure is the motive. It does not, however, make Poland immune. Iran-linked threat actors have demonstrated a consistent pattern of targeting European critical infrastructure for intelligence gathering purposes and, in some cases, to create leverage with NATO member governments indirectly involved in regional dynamics through alliance obligations.

It is worth noting that a suspected Iranian-linked group was also implicated in a disruptive cyberattack against Stryker Corporation, a U.S. medical technology firm, during the same general period. That incident disrupted global manufacturing and shipping operations. Taken together, the pattern suggests Iranian cyber operators have been active across multiple sectors and geographies in early 2026, though whether the NCBJ incident is connected to that broader campaign remains unconfirmed.

The false flag question cuts both ways. A sophisticated adversary with reason to provoke Polish-Iranian diplomatic tension — Russia being the candidate that analysts point to first, given the broader context of Russian hybrid operations against Poland — could plausibly plant Iranian-linked indicators to obscure their own involvement and redirect Polish government attention. That is not a claim, only an analytical framework that Polish investigators appear to be holding open alongside the Iranian hypothesis.

Poland as a Sustained Target: The December 2025 Context

The NCBJ incident did not occur in isolation. It follows what Polish Prime Minister Donald Tusk called one of the most serious cyberattacks against the country's energy infrastructure in years. On December 29 and 30, 2025, coordinated attacks struck at least 30 wind and photovoltaic farms, two combined heat and power plants, and a large CHP facility supplying heat to nearly half a million customers during a period of extreme cold weather. The timing — during blizzard conditions just before New Year — was not coincidental. CERT Polska later noted that the attacks were "aimed solely at destruction," comparing them to deliberate arson.

ESET attributed the December 2025 grid attacks to Sandworm, the Russia-aligned APT group associated with Russia's GRU military intelligence unit 74455, with medium confidence. The malware used was a previously undocumented data wiper ESET named DynoWiper. Dragos, tracking the same actor under the designation ELECTRUM, independently attributed the attack with moderate confidence. CERT Polska attributed the activity to a separate group it tracks as Static Tundra, also known as Berserk Bear or Dragonfly, which focuses on reconnaissance and espionage. The December attack occurred on the tenth anniversary of Sandworm's 2015 BlackEnergy attacks on Ukraine's power grid — a symbolic alignment that ESET flagged explicitly in its analysis.

"Based on our analysis of the malware and associated TTPs, we attribute the attack to the Russia-aligned Sandworm APT with medium confidence due to a strong overlap with numerous previous Sandworm wiper activity we analyzed." — ESET researchers, January 2026

The December attacks exploited Fortinet FortiGate devices that were internet-facing, using default credentials and lacking multi-factor authentication, according to CERT Polska's post-incident report. Attackers gained access to industrial control systems including RTU560 remote terminal units from Hitachi Energy, Moxa communication devices, and Mikronika equipment. While no blackout occurred, some ICS devices were permanently damaged. CERT Polska noted that "given the level of access obtained by the attacker, there was a risk of causing a disruption in electricity generation at the affected facilities." The attack had been in preparation since at least March 2025, with reconnaissance and credential harvesting activity detected through July of that year.

A late-February 2026 report from the International Centre for Counter-Terrorism (ICCT) documented 31 confirmed hybrid warfare incidents attributed to Russian actors targeting Poland between mid-2025 and early 2026. Against that backdrop, the NCBJ cyberattack in March 2026 represents a potential second front: a second nation-state, Iran, possibly probing Polish critical infrastructure within the same quarter that Russian-linked actors carried out their largest recorded grid attack against the country. Whether the two campaigns are coordinated, parallel, or entirely coincidental is one of the questions investigators are working to answer.

Why Nuclear Research Facilities Are High-Value Targets

Understanding why the NCBJ would attract nation-state attention requires a clear picture of what the institute actually does. NCBJ is Poland's largest scientific research institute focused on nuclear science and technology. It operates the MARIA reactor, a high-flux research reactor used for isotope production, materials testing, nuclear physics experiments, neutron therapy, and the training of nuclear engineers. NCBJ also provides technical and scientific support for Poland's civilian nuclear power program — the country is actively developing its first commercial nuclear power plant. The institute does not conduct any military nuclear activities, and Poland has no nuclear weapons program.

That civilian, scientific profile does not reduce its value to an adversary. It may increase it. The MARIA reactor produces radioisotopes used in medical diagnostics and treatment across Europe. Disruption of those supply chains carries humanitarian consequences. Research data on reactor design, materials behavior under neutron bombardment, and nuclear fuel cycle management carries strategic scientific value. And access to an institute that is advising Poland's commercial nuclear development program creates a persistent intelligence opportunity at a moment when Polish nuclear strategy is being actively shaped. Reconnaissance of the institute's administrative and research networks — even falling short of operational system access — provides an adversary with valuable insight into personnel, projects, partner institutions, and procurement activity.

There is also the symbolic dimension. A confirmed breach at a nuclear research institute generates a different kind of headline than a breach at a government ministry or commercial firm. The reputational and political cost to the targeted government is higher, and the signal sent to other potential targets — that nuclear-adjacent institutions are reachable — serves an adversary's psychological and deterrence objectives even when operational damage is zero. Nation-state attackers understand this. A blocked intrusion that makes international news still accomplishes something.

What the NCBJ incident demonstrates, more than anything, is that early detection worked. The institute's monitoring and incident response procedures identified the intrusion attempt before it could establish a foothold or move laterally. That outcome is not guaranteed in environments like this one. As CERT Polska's findings from the December 2025 grid attacks showed, attackers can maintain persistent access for months — beginning reconnaissance in March and executing destructive action in December — before defenders detect them. The NCBJ stopped this attempt earlier in the kill chain. That is a genuine defensive success, and it reflects what properly calibrated detection looks like when it functions as intended.

The broader question that the incident surfaces for defenders across sensitive sectors is whether their own visibility is comparable. Intrusions in critical infrastructure environments, including research institutions with operational adjacency, regularly go undetected for extended periods. The NCBJ's response demonstrates that rapid detection is achievable. It also demonstrates that nation-state actors are not limiting their attention to governments and defense contractors. Scientific institutions supporting national energy strategy, developing civilian nuclear programs, and producing strategic materials are targets, and they need to be resourced and monitored accordingly.

Key Takeaways

1. The attack was blocked before any compromise occurred: NCBJ's security systems detected the intrusion attempt and contained it. The MARIA reactor continued operating at full power throughout the incident, and no research or production processes were disrupted.
2. Attribution remains genuinely uncertain: Polish officials identified entry vectors suggesting Iranian origin, but investigators publicly acknowledged those indicators could be planted false flags. No group has claimed responsibility. Final attribution has not been issued and the investigation is ongoing.
3. This follows a pattern of escalating attacks on Polish infrastructure: Within the previous three months, Poland experienced the Sandworm-attributed DynoWiper attacks on its power grid in December 2025, and an ICCT report documented 31 Russian hybrid warfare incidents in the country over roughly nine months. The NCBJ incident potentially introduces a second nation-state actor into that picture.
4. Nuclear research facilities carry unique strategic value for adversaries: Intelligence on reactor programs, nuclear fuel cycles, radioisotope supply chains, and the personnel advising Poland's commercial nuclear development all represent durable intelligence targets. Disruption of isotope production would carry direct humanitarian consequences across European healthcare systems.
5. Early detection is the critical variable: The difference between this incident and a successful breach was the institute's monitoring maturity. Organizations in similarly sensitive sectors should treat this as a reference point for assessing their own detection and response capabilities, not as reassurance that the threat has passed.

Poland has now faced serious intrusion attempts against its power grid, manufacturing sector, and nuclear research infrastructure within a single quarter. The institutional response has, by available evidence, been effective each time. The harder question — who is actually targeting Poland's critical infrastructure, what their objectives are, and whether these campaigns are connected — remains open. Investigators are working it. The answer, when it arrives, will likely matter beyond Poland's borders.