Water utilities across the United States and Europe are facing increasing cyber threats as nation-state actors continue targeting critical infrastructure through exposed industrial control systems and weak authentication practices.

Security researchers warn that attacks against water and wastewater facilities have evolved from isolated incidents into a strategic component of geopolitical competition. Between 2024 and 2026, multiple state-linked threat groups exploited vulnerable operational technology (OT) environments to gain access to systems that millions of people rely on daily.

Water Infrastructure Becomes a Strategic Target

According to researchers, countries including Iran, Russia, and China have increasingly viewed civilian utilities as strategic pressure points.

Rather than pursuing large-scale destruction, these actors are using access to water infrastructure to:

  • Test defensive capabilities
  • Measure emergency response effectiveness
  • Create psychological pressure
  • Establish long-term access for future operations
  • Signal geopolitical intent

Analysts note that critical infrastructure systems are now considered valuable leverage in modern cyber conflict.

Common Attack Vectors

Most successful intrusions relied on basic security weaknesses rather than sophisticated malware.

Threat actors repeatedly exploited:

  • Internet-facing PLCs (Programmable Logic Controllers)
  • Default credentials
  • Weak passwords
  • Shared operator accounts
  • Poor IT/OT network segmentation
  • Exposed remote access services

Many of these vulnerabilities can be exploited without advanced tooling, requiring only publicly accessible systems and valid credentials.

Iranian-Linked Attacks on Water Systems

One of the most prominent campaigns involved Iranian-affiliated threat actors known as CyberAv3ngers.

In December 2024, U.S. authorities confirmed that the group targeted Unitronics Vision Series PLCs commonly deployed in water and wastewater facilities.

The attackers gained access using factory-default credentials, demonstrating how weak operational security can enable compromise of critical systems.

A joint advisory released by CISA, FBI, NSA, and EPA later confirmed continued targeting of internet-exposed industrial control systems across:

  • Water utilities
  • Energy providers
  • Government organizations

Researchers observed activity targeting industrial control ports and the deployment of Dropbear SSH to maintain remote access after compromise.

Russian-Linked Operations

Russian-aligned threat groups have also demonstrated the ability to impact physical processes.

In January 2024, attackers compromised a remote industrial interface at a water facility in Muleshoe, Texas, causing a municipal water tank to overflow for approximately 30 to 45 minutes.

The operation was later claimed by Cyber Army of Russia Reborn, a group linked to the Russian military-associated Sandworm threat actor.

In April 2025, attackers targeted infrastructure in Bremanger, Norway, opening a dam floodgate and releasing water for roughly four hours.

Poland also reported compromises affecting five separate water treatment facilities during 2025.

Investigators found that attackers gained access through weak passwords and internet-exposed control systems. Once inside, operators were reportedly capable of modifying chemical dosing parameters, creating potential public health risks.

China's Long-Term Access Strategy

Unlike the disruptive operations attributed to Iranian and Russian actors, China's Volt Typhoon has focused on stealth and persistence.

Security agencies report that Volt Typhoon targeted water and wastewater environments alongside other critical sectors to establish long-term access and maintain strategic positioning.

The objective appears to be preparing cyber options that could be activated during future geopolitical conflicts.

Researchers emphasize that the same weaknesses exploited by advanced nation-state actors can also be leveraged by cybercriminals and opportunistic attackers.

Recommended Security Measures

Experts recommend immediate action to reduce exposure across water and wastewater environments.

Key defensive measures include:

  • Removing PLCs and HMIs from direct internet exposure
  • Replacing default and shared credentials
  • Enforcing multi-factor authentication (MFA)
  • Implementing stronger IT/OT network segmentation
  • Increasing OT-specific monitoring and logging
  • Reviewing remote access pathways
  • Reporting suspicious activity to CISA and relevant authorities

Organizations should also regularly assess:

  • SCADA environments
  • Vendor access systems
  • GIS infrastructure
  • Remote management platforms
  • Billing and customer-facing portals

Key Indicators of Compromise (IoCs)

Infrastructure

Iran-Linked IP Addresses

  • 135.136.1[.]133
  • 185.82.73[.]162
  • 185.82.73[.]164
  • 185.82.73[.]165
  • 185.82.73[.]167
  • 185.82.73[.]168
  • 185.82.73[.]170
  • 185.82.73[.]171

Targeted ICS Ports

  • TCP/44818 (EtherNet/IP)
  • TCP/2222 (EtherNet/IP Alternate)
  • TCP/102 (Siemens S7)
  • TCP/502 (Modbus)
  • TCP/22 (SSH)

Observed Tools

  • Dropbear SSH
  • PowerShell
  • wmic
  • ntdsutil.exe
  • netsh interface portproxy
  • UserspaceSSH Tool
  • Tarprolan

File & System Artifacts

  • ntds.dit
  • C:\Windows\Temp\
  • C:\Users\Public\
  • ADMIN$

Defacement Message

"You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target."

Final Thoughts

The continued targeting of water infrastructure demonstrates how operational technology has become a key battleground in modern cyber conflict.

These attacks rarely rely on sophisticated zero-day vulnerabilities. Instead, attackers consistently exploit weak credentials, exposed control systems, and poor network segmentation.

For water utilities and critical infrastructure operators, strengthening basic cybersecurity controls remains one of the most effective ways to reduce risk and prevent future compromise.