Water utilities across the United States and Europe are under growing pressure as hackers continue to find easy ways in.
Nation-state actors and affiliated groups have been quietly exploiting internet-facing control systems and weak login credentials to access water and wastewater infrastructure — systems that millions of people depend on every day.
The threat has moved beyond isolated incidents. From 2024 to 2026, attacks on water systems shifted from opportunistic nuisance activity into a deliberate feature of state-level competition.
Countries like Iran, Russia, and China have each used access to water infrastructure as a strategic tool — not to cause mass destruction, but to send signals, test limits, and prepare for larger conflicts ahead.
Analysts at DomainTools noted in a report shared with Cyber Security News (CSN) that these intrusions are driven by a shared doctrine: targeting civilian utilities provides strategic leverage.
The report warns that water systems are now treated as pressure points, used to create fear, test emergency response thresholds, and position threat actors for future disruptions.
The attacks rely heavily on basic security failures. Threat actors have repeatedly exploited internet-facing programmable logic controllers (PLCs), weak or default passwords, shared operator accounts, poor IT/OT network segmentation, and exposed remote access tools.
These gaps require no advanced malware — just patience and an open door into an unprotected system.
U.S. federal agencies, including CISA, FBI, NSA, and EPA, have warned that many utilities remain dangerously exposed.
The water sector includes roughly 170,000 systems nationwide, many operating with limited budgets, outdated technology, and voluntary security practices that vary widely from one facility to the next.
Hackers Exploit Weak Credentials and Internet-Facing PLCs
The most direct example came from Iranian-affiliated actors. In December 2024, CISA confirmed that a group called CyberAv3ngers, tied to Iran’s IRGC, targeted Unitronics Vision Series PLCs commonly found in U.S. water and wastewater systems.
The attackers used default factory credentials to gain entry — no special techniques were needed.
By April 2026, a joint advisory from CISA, FBI, NSA, and EPA confirmed that Iranian-linked actors were still active, exploiting internet-exposed PLCs across water, energy, and government facilities.
The advisory flagged malicious traffic targeting industrial control ports and the use of Dropbear SSH for remote access once inside.
Russia-linked groups went further. In January 2024, attackers accessed a remote industrial interface at a facility in Muleshoe, Texas, causing a municipal water tank to overflow for roughly 30 to 45 minutes.
The Cyber Army of Russia Reborn claimed responsibility, and investigators linked the group to Sandworm, a Russian military-associated cyber unit.
In April 2025, attackers seized control of a dam in Bremanger, Norway, opening a floodgate and releasing water for approximately four hours.
Poland also reported breaches at five water treatment plants in 2025. The attackers used weak passwords and found control systems directly exposed online.
Once inside, they had the ability to alter chemical dosing parameters — a deeply concerning capability with real potential to harm public health.
Nation-State Tactics and What Defenders Should Do
China’s Volt Typhoon group took a far quieter path. Rather than creating visible disruption, they burrowed into water and wastewater IT environments across multiple U.S. critical sectors, aiming for long-term access and strategic positioning.
According to security agencies, the goal is to have options ready if a geopolitical crisis ever escalates into open conflict.
Experts stress that criminal and unattributed incidents should also be treated seriously, since they expose the same weaknesses a state actor would exploit with far more planning.
Billing portals, vendor access, GIS repositories, and SCADA-adjacent servers can all provide useful access or intelligence.
The DomainTools report recommends that water utilities take immediate steps to reduce exposure.
These include removing PLCs and HMIs from direct internet access, replacing default and shared passwords, enforcing multi-factor authentication, improving OT monitoring, and separating IT from operational control networks.
Reporting incidents to CISA and coordinating with federal partners for cybersecurity support is also strongly encouraged.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 135.136.1[.]133 | Iran/CyberAv3ngers-affiliated IP address (March 2026) |
| IP Address | 185.82.73[.]162 | Iran/CyberAv3ngers-affiliated IP address (Jan 2025 – Mar 2026) |
| IP Address | 185.82.73[.]164 | Iran/CyberAv3ngers-affiliated IP address (Jan 2025 – Mar 2026) |
| IP Address | 185.82.73[.]165 | Iran/CyberAv3ngers-affiliated IP address (Jan 2025 – Mar 2026) |
| IP Address | 185.82.73[.]167 | Iran/CyberAv3ngers-affiliated IP address (Jan 2025 – Mar 2026) |
| IP Address | 185.82.73[.]168 | Iran/CyberAv3ngers-affiliated IP address (Jan 2025 – Mar 2026) |
| IP Address | 185.82.73[.]170 | Iran/CyberAv3ngers-affiliated IP address (Jan 2025 – Mar 2026) |
| IP Address | 185.82.73[.]171 | Iran/CyberAv3ngers-affiliated IP address (Jan 2025 – Mar 2026) |
| Network Port | TCP/44818 | EtherNet/IP protocol port — targeted in Iran-linked PLC attacks |
| Network Port | TCP/2222 | EtherNet/IP alternate protocol port — targeted in Iran-linked PLC attacks |
| Network Port | TCP/102 | Siemens S7 protocol port — targeted in Iran-linked PLC attacks |
| Network Port | TCP/502 | Modbus protocol port — targeted in Iran-linked PLC attacks |
| Network Port | TCP/22 | SSH remote access port — used via Dropbear SSH deployment |
| Tool | Dropbear SSH | Lightweight SSH tool used for remote access by Iranian-affiliated actors |
| Tool | wmic | Native Windows tool abused by Volt Typhoon (living-off-the-land) |
| Tool | ntdsutil.exe | Native Windows tool used for credential harvesting by Volt Typhoon |
| File | ntds.dit | Active Directory credential artifact extracted by Volt Typhoon |
| Tool | netsh interface portproxy | Native Windows portproxy tool abused for lateral movement |
| File Path | C:\Windows\Temp\ | Host artifact staging path observed in Volt Typhoon activity |
| File Path | C:\Users\Public\ | Host artifact staging path observed in Volt Typhoon activity |
| Share | ADMIN$ | Windows admin share used for lateral movement output |
| Tool | PowerShell | Native scripting tool used in Volt Typhoon living-off-the-land operations |
| Malware/Tool | UserspaceSSH Tool | Unsupported SSH tool — noted in advisory for remote access |
| Software | Studio 5000 Logix Designer | Rockwell Automation software used in targeted ICS environments |
| Software | Micro850 (CompactLogix) | Rockwell Automation PLC models targeted by Iranian actors |
| Tool | Tarprolan | Talos-identified tool referenced in Volt Typhoon behavioral IOCs |
| Defacement Text | “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.” | Defacement message left on compromised HMIs by CyberAv3ngers |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
