In the early days of the ongoing conflict in the Middle East,  security teams discovered an ongoing probe on the digital perimeter of one of Europe's most sensitive scientific institutions. The target was Poland's National Centre for Nuclear Research (NCBJ), the country's primary and premier government nuclear institute located in Świerk, nearly 30 kilometres southeast of Warsaw. The attackers didn't manage to get in. But the attempt itself represents a loud signal in an already deafening geopolitical storm.

What actually happened

Poland's NCBJ confirmed that hackers had targeted its IT infrastructure. It however stated that the attack was detected and blocked before causing any impact. In a statement, the organisation said its security systems and internal procedures that were designed to detect threats early prevented the compromise and allowed IT staff to quickly secure targeted systems.

Poland's Minister for Digital Affairs, Krzysztof Gawkowski, told private broadcaster TVN24+ that the attack had taken place "in the past few days,". He added that "the first identifications of the entry vectors (those places from which the centre was attacked) are linked to Iran."

Critically, the minister also issued an immediate caveat that the indicators might be deliberate misdirection to hide the attackers' true location. As we all know there is an elephant in the room in this attack which is Russia.

The NCBJ: Why this target matters

The cyberattack unsuccessfully targeted the National Centre for Nuclear Research that houses the country's only operational nuclear reactor. The NCBJ is not a weapons facility as Poland has no nuclear weapons and is building its first nuclear power plant. But the institute's strategic value is not about warheads.

NCBJ is Poland's main government nuclear research institute specializing in nuclear physics, reactor technology, particle physics, and radiation applications. It provides technical and scientific support that underpins the country's nuclear power programme. Right now Poland is constructing its first civil nuclear plant in partnership with American companies Westinghouse and Bechtel. Any intelligence gathered on reactor safety systems, supplier relationships, or engineering specifications would be operationally valuable to a sophisticated adversary. This is especially true for threat actors that view US economic and military entanglements as legitimate soft targets.

This is clearly an attempt to ensure persistence and pre-positioning. Attackers sought early entry to establish persistence, ensuring they remained embedded as the data grew more valuable.

The geopolitical context you cannot separate from this

The NCBJ attack on March 12 did not happen in a vacuum. It happened 12 days into a hot war. That context matters enormously for the threat model and the implications that follow.

Just a day prior, on March 11, a far more consequential Iranian cyber operation had already landed. Medical technology giant Stryker, a Fortune 500 company headquartered in Michigan that specializes in surgical equipment, orthopedic implants, and neurotechnology was targeted by a highly disruptive cyberattack. The Iran-linked group Handala claimed to have wiped more than 200,000 servers, mobile devices, and other systems, forcing Stryker to shut down offices in 79 countries. We have covered the unique aspects of this incident in an earlier post, here.

Handala is one of several threat actors affiliated with Iran's Ministry of Intelligence and Security (MOIS). It is possibly working alongside APT 35 to breach enterprises across the world. Handala is known to go after strategic targets and is not known to be interested in ransom or data leaks.

The Stryker attack was visceral, large-scale, and explicitly political. Handala said it carried out the attack in retaliation for the killing of more than 170 people in a strike on a school in the southern Iranian city of Minab on the first day of the US-Israeli military war against Iran.

The Poland probe, by contrast, was quieter. It was more of a surgical reconnaissance attempt on a nuclear facility. This has created two very different operational signatures in a 24-hour window for the same group.

The false flag problem: attribution is harder than it looks

The Polish government's own caveat about possible misdirection represents the crux of the analytical challenge here. In offensive cyber operations, false flag attacks where an attacker deliberately mimics the TTPs (tactics, techniques and procedures) of another nation-state are not theoretical. They are standard practice and there could be reasons to believe that this was an instance as well.

The entry vectors pointing to Iran could mean several things:

Scenario A: Direct Iranian operation. Retaliation logic is coherent. Poland is a NATO member. Poland's Defence Minister stated that Poland is not participating in the conflict in the Middle East. But in Iran's threat calculus, any NATO member hosting US military infrastructure or supplying Ukraine (which Poland does substantially) is a legitimate pressure point.

Scenario B: A Russian false flag. Poland has been high in the target list of Russian cyber actors, with 31 confirmed incidents attributed to them between mid-2025 and early-2026. Earlier in 2026, Russia's APT44 ("Sandworm") attacked Poland's power grid, targeting distributed energy resource sites, heat and power facilities, and renewable dispatch systems. Moscow has every incentive to hit Polish infrastructure and let Iran take the blame. This attack could be part of a series of attacks on Poland only this time Russia decided to pass on the blame to Iran. For the record, this attack has all the hallmarks of a standard Russian operation, be in terms of the target, timing or even the TTP.

Scenario C: Third-party opportunism. Active conflict creates cover. A criminal or espionage group with no state affiliation can exploit geopolitical noise to conduct operations that blend into the background. This seems a bit unlikely as Nuclear research facilities are way outside the league of such actors. But it is possible that the threat actor was possibly trying to enter the network to sell access to a more established threat actor in the future.

Entry vectors — the IP addresses, infrastructure, and routing paths through which an attack arrives — are trivially spoofable or launderable through third-country infrastructure and bot farms. Any analyst who tells you IP geolocation settles attribution is possibly selling you something or is possibly less informed.

What the defenders got right

This incident is also worth examining for what didn't happen. The NCBJ was not breached. Thanks to the rapid and effective actions of security systems and internal procedures, as well as the quick response of the teams, the attack was thwarted and the integrity of the systems was not compromised.

That is not a trivial outcome. Critical infrastructure, especially nuclear facilities, has historically been a high-value, under-hardened target firmly within well etched redlines as far as governments are concerned. The successful defense here suggests a few things: layered detection was in place, the SOC (Security Operations Centre) had incident response procedures tested and ready, and threat intelligence sharing within Poland's national cyber apparatus was functional enough to enable rapid reaction.

Compare this to the Stryker failure, where security researchers suggested Handala actors gained access to Stryker's Active Directory services and used the Microsoft endpoint management tool Intune to remotely wipe Microsoft devices, including devices managed under a bring-your-own-device policy. That is a supply-chain and identity management failure at scale, the kind of access that should never be achievable from outside.

What comes next

The strategic picture suggests this is early days, not a one-off. Iran has historically responded to kinetic pressure with sustained, multi-vector cyber campaigns — not a single burst. Historically, Iran has conducted some of the most infamous wiper cyberattacks on national enemies, aiming to simply erase all data on targeted networks. Saudi Aramco in 2012 lost tens of thousands of workstations. The pattern is patient escalation, not spectacle.

For European critical infrastructure operators, particularly in energy, nuclear, and defence-adjacent sectors, the threat model has now materially expanded. Poland's proximity to the Ukraine conflict already made it a top-tier Russian target. The addition of potential Iranian retaliatory operations creates a multi-front cyber pressure that will strain SOC bandwidth, attribution pipelines, and national cyber response coordination simultaneously.

The NCBJ attack was foiled. The next one may not be. And in an environment where false flags are standard practice and two nuclear-adjacent conflicts are unfolding in parallel, the margin for attribution error and the consequences of that error have never been higher.

Questions? Don’t forget to drop us a line here.

Addition and relevant checklists

OT Security controls aligned to NIST SP 800-171
STRIDE-Based Threat Modeling and DREAD evaluation for oil refinery Distributed Control Systems