Information Security News

Water System Cyberattacks: How Nation-State Hackers Turned Utilities Into Targets

by · Published · Updated

Water system cyberattacks on US and EU utilities by nation-state APT groups

With the arrival of digitalization, waterworks and treatment plants have become prime targets for APT hackers. Yet they are not random victims. Rather, attackers deliberately choose them as pressure points within a broader strategy, one that analysts at DomainTools laid out in a detailed threat-intelligence report.

Between 2024 and 2026, several state-linked groups systematically probed water facilities across the United States and Europe. Each pursued its own objective. However, all shared a single calculation: control over water creates leverage without any formal declaration of war.

Iran’s CyberAv3ngers: Hacking in Plain Sight

Iranian hackers tied to the Islamic Revolutionary Guard Corps acted most openly of all. In 2023, the CyberAv3ngers group seized control of industrial controllers. These devices govern pumps, valves, and the dosing of chemical reagents.

To break in, the attackers simply used default factory passwords on Israeli-made Unitronics units installed in American water utilities. Once inside, they left political messages across the control screens. Then, in April 2026, CISA, the FBI, the NSA, and the EPA jointly warned that attacks on water facilities were still ongoing.

China’s Volt Typhoon: Lying in Wait

China, by contrast, chose a quieter tactic. In February 2024, US intelligence confirmed that the Volt Typhoon group had infiltrated American water utilities, along with energy and transport operators.

Notably, the hackers inflicted no visible damage. Instead, their aim was to establish a foothold inside these systems ahead of any future conflict. That scenario explicitly includes a potential clash over Taiwan.

The Same Weak Spots, Again and Again

Across every documented case, the attackers exploited the same handful of weaknesses. Industrial controllers and control panels sat exposed to the open internet. Passwords were default or trivially simple. Worse still, office and production networks shared one flat space, with no separation between them.

Fortunately, the remedies are well understood. Agencies urge operators to isolate control systems from the public internet. Beyond that, they recommend replacing factory passwords, segmenting networks, and monitoring production nodes for anomalous activity. Taken together, these steps close the very doors that nation-state crews have walked through for years.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags:

Leave a Reply