Is there confirmed attribution for the cyberattack on NCBJ?

While some reports suggest potential involvement of Iranian actors, NCBJ has not officially attributed the attack to any specific entity, and investigators caution that these indicators may be deceptive.

Poland's Nuclear Research Center Successfully Defends Against Cyberattack

Q: Was the MARIA reactor affected by the cyberattack?

No, the MARIA reactor remained unaffected and continued to operate safely at full capacity during and after the attempted cyberattack.

In March 2026, the National Centre for Nuclear Research in Poland detected and blocked a cyberattack, ensuring the MARIA reactor's continued safe operation.

Published: March 14, 2026

Share this on:

Executive Summary

In March 2026, Poland's National Centre for Nuclear Research (NCBJ) successfully thwarted a cyberattack targeting its IT infrastructure. The institute's security systems and internal procedures detected the intrusion early, preventing any compromise to their systems. Notably, the MARIA reactor, Poland's sole nuclear reactor used for scientific research and medical isotope production, remained unaffected and continued to operate safely at full capacity. While the NCBJ did not attribute the attack to any specific entity, reports suggest potential involvement of Iranian actors, though investigators caution that these indicators may be deceptive. This incident underscores the escalating cyber threats faced by critical infrastructure globally, particularly in the nuclear sector. Organizations must remain vigilant, continuously enhancing their cybersecurity measures to detect and respond to such sophisticated attacks promptly.

Why This Matters Now

The attempted cyberattack on Poland's National Centre for Nuclear Research highlights the increasing targeting of critical infrastructure by sophisticated threat actors. As geopolitical tensions rise, particularly involving nations with advanced cyber capabilities, the risk to essential services and national security intensifies. This incident serves as a stark reminder for organizations worldwide to bolster their cybersecurity defenses, ensuring resilience against potential disruptions that could have far-reaching consequences.

Attack Path Analysis

The adversary likely initiated the attack by exploiting public-facing applications to gain initial access. Subsequently, they may have escalated privileges by obtaining valid credentials through techniques like credential dumping. The attacker then possibly moved laterally within the network, accessing critical systems. They established command and control channels to maintain persistent access. Data exfiltration was likely attempted to extract sensitive information. Finally, the adversary may have aimed to disrupt operations or cause damage, though the attack was thwarted before impact.

Kill Chain Progression

Initial Compromise

Mediuminferred

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

The adversary likely exploited public-facing applications to gain unauthorized access to the network.

Confidence:

Medium

MITRE ATT&CK® Techniques

Initial Access

T1190

Exploit Public-Facing Application

Initial Access

T1078

Valid Accounts

Initial Access

T1566

Phishing

Command and Control

T1071

Application Layer Protocol

Defense Evasion

T1027

Obfuscated Files or Information

Impact

T0889

Modify Program

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

NIST Cybersecurity Framework (CSF) 2.0 – Access Control

Control ID: PR.AC-1

Unauthorized access attempts highlight the need for robust access control measures to prevent unauthorized system entry.

NIS2 Directive – Risk Analysis and Information System Security Policies

Control ID: Article 21(2)(a)

The incident underscores the necessity for comprehensive risk analysis and the implementation of security policies to protect critical infrastructure.

CISA Zero Trust Maturity Model (ZTMM) 2.0 – Identity Management

Control ID: Identity Pillar

The attack emphasizes the importance of stringent identity verification processes to prevent unauthorized access.

DORA (Digital Operational Resilience Act) – ICT Risk Management Framework

Control ID: Article 5

The cyberattack highlights the need for a robust ICT risk management framework to ensure operational resilience.

ISO/IEC 27001:2022 – Policies for Information Security

Control ID: A.5.1

The incident demonstrates the importance of establishing and maintaining information security policies to manage risks effectively.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Oil/Energy/Solar/Greentech

Nation-state attacks targeting critical infrastructure require enhanced east-west traffic security and zero trust segmentation to prevent lateral movement in energy systems.

Defense/Space

Nuclear research facilities face sophisticated nation-state threats necessitating multicloud visibility, encrypted traffic monitoring, and robust egress security policy enforcement capabilities.

Government Administration

Polish government entities require strengthened threat detection and anomaly response systems to counter Iranian and Russian cyber actors targeting national infrastructure.

Utilities

Power grid operators need secure hybrid connectivity and inline IPS protection following recent APT44 attacks on distributed energy resources and dispatch systems.

Sources

Poland's nuclear research centre targeted by cyberattackhttps://www.bleepingcomputer.com/news/security/polands-nuclear-research-centre-targeted-by-cyberattack/
Verified

Udaremnienie cyberataku na Narodowe Centrum Badań Jądrowychhttps://www.ncbj.gov.pl/aktualnosci/udaremnienie-cyberataku-na-narodowe-centrum-badan-jadrowych

Verified

Poland says foiled cyberattack on nuclear centre may have come from Iranhttps://www.reuters.com/world/poland-says-foiled-cyberattack-nuclear-centre-may-have-come-iran-2026-03-12/

Verified

Frequently Asked Questions

NCBJ's robust security systems and internal procedures enabled early detection and swift response, effectively thwarting the cyberattack without compromising system integrity.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting the attacker's ability to move laterally and exfiltrate data.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit public-facing applications may have been constrained, reducing the likelihood of unauthorized access.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges could have been limited, reducing the scope of unauthorized access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement may have been constrained, reducing the reach to critical systems.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish command and control channels could have been limited, reducing persistent access.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts may have been constrained, reducing the risk of sensitive information loss.

Impact (Mitigations)

The attacker's potential to disrupt operations or cause damage could have been limited, reducing operational risk.

Impact at a Glance

Affected Business Functions

Nuclear Research Operations
Scientific Experimentation
Medical Isotope Production

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

No data exposure reported.

Recommended Actions

• Implement robust egress security and policy enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
• Enhance east-west traffic security to detect and prevent lateral movement within the network.
• Deploy zero trust segmentation to enforce least privilege access and limit the attack surface.
• Utilize multicloud visibility and control solutions to monitor and manage security policies across diverse cloud environments.
• Establish comprehensive threat detection and anomaly response mechanisms to identify and respond to suspicious activities promptly.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Poland's Nuclear Research Center Successfully Defends Against Cyberattack

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Valid Accounts

Phishing

Application Layer Protocol

Obfuscated Files or Information

Modify Program

Potential Compliance Exposure

NIST Cybersecurity Framework (CSF) 2.0 – Access Control

NIS2 Directive – Risk Analysis and Information System Security Policies

CISA Zero Trust Maturity Model (ZTMM) 2.0 – Identity Management

DORA (Digital Operational Resilience Act) – ICT Risk Management Framework

ISO/IEC 27001:2022 – Policies for Information Security

Sector Implications

Oil/Energy/Solar/Greentech

Defense/Space

Government Administration

Utilities

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads