The world has grown accustomed to cyberattacks that steal data or extort ransom. But a more insidious threat has been quietly escalating beneath the surface quite literally. Over the past two years, nation-state actors from Iran, Russia, and China have systematically probed, breached, and manipulated the water and wastewater systems that sustain modern civilization .
This isn’t speculative future-gazing. It’s happening now.
From a breached dam in Norway that unleashed thousands of liters of water per second, to Iranian hackers defacing American water utility HMIs with anti-Israel messages, to Chinese state-backed groups quietly pre-positioning inside U.S. critical infrastructure for over 300 days the water sector has become the favored testing ground for a new era of hybrid warfare .
And the most disturbing part? Many of these attacks succeeded using nothing more sophisticated than default passwords and internet-exposed control panels .
Why Water Systems? The Strategic Logic of Targeting H2O
Water and wastewater systems are uniquely vulnerable targets. They are critical to public health, economically essential, and psychologically destabilizing when disrupted. As one joint advisory from CISA, FBI, NSA, and EPA noted, many utilities remain exposed through internet-facing human-machine interfaces (HMIs), weak credentials, legacy devices, and poor IT/OT segmentation .
This isn’t an accident. State actors have recognized that targeting civilian utilities provides strategic options that stop short of open warfare the very definition of “gray-zone” operations.
Iran uses water system intrusions for visible signaling, retaliation narratives, and propaganda . Russia treats water and dam systems as part of sabotage-oriented hybrid warfare low-cost disruption designed to create fear and test response thresholds . China focuses on quiet persistence, reconnaissance, and contingency access inside critical infrastructure, preparing options before wider conflict .
All three models converge on the same underlying thesis: Water systems are pressure points.
The Three Faces of Water-Sector Warfare
Iran: The HMI Defacers
Iran-linked activity has been the most direct in targeting water and wastewater systems. In December 2024, CISA reported that the IRGC-affiliated CyberAv3ngers had targeted and compromised Israeli-made Unitronics Vision Series PLCs used across multiple sectors, including U.S. water and wastewater systems . The attack exploited poor authentication and exposed PLC/HMI interfaces rather than sophisticated malware delivery.
The compromise of a booster station in Aliquippa, Pennsylvania, was particularly emblematic: attackers defaced the HMI with a message reading “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target” . Operators switched to manual control; no service loss was confirmed, but the psychological impact was significant.
In April 2026, CISA, FBI, NSA, EPA, and partner agencies issued a new advisory warning that Iranian-affiliated cyber actors were exploiting internet-facing PLCs across critical infrastructure, including water, wastewater, and energy facilities . The EPA separately framed this as a water-sector resilience warning, stressing that national security depends on water systems reporting incidents and hardening exposed OT assets.
Key TTPs: Iranian actors target Rockwell Automation/Allen-Bradley PLCs (CompactLogix and Micro850 devices) via TCP ports 44818, 2222, 102, 22, and 502. They use Dropbear SSH for remote access persistence and extract .ACD project files containing ladder logic and configuration .
Assessment: While Iran has demonstrated the ability to access exposed control devices, deface HMIs, and create public fear, evidence still points more toward opportunistic OT access than reliable cyber-physical sabotage at scale.
Russia: Sabotage and Hybrid Pressure
Russia-aligned actors have shown a willingness to use their access to manipulate water-control systems directly and with demonstrable physical consequences.
In January 2024, attackers accessed a remote industrial interface in Muleshoe, Texas, causing a municipal water tank to overflow for roughly 30–45 minutes . The Cyber Army of Russia Reborn (CARR) claimed responsibility, and Mandiant linked the group to Sandworm, Russia’s GRU-associated destructive cyber unit. The U.S. Treasury later sanctioned individuals connected to this campaign, holding them responsible for a series of “unsophisticated” attacks on critical infrastructure in the U.S. and EU .
A little over a year later, in April 2025, attackers seized control of a dam in Bremanger, Norway . They opened a floodgate, releasing roughly 500 liters of water per second for four hours before the incident was stopped. Norway’s counterintelligence chief publicly blamed Russia-linked actors for the intrusion .
In a separate incident, Poland’s intelligence service reported that hackers breached five Polish water treatment plants in 2025, exploiting weak/default passwords and internet-exposed control systems . Once inside, they had the ability to alter chemical-dosing parameters a near-miss with potentially catastrophic consequences. Though attribution remained unconfirmed, the report alluded to prior Russian and Belarusian hybrid operations against Polish infrastructure .
Key TTPs: Russian-aligned actors target small municipal utilities with weak security postures. They use Telegram for propaganda amplification, posting video proof-of-access. The pattern fits Moscow’s broader hybrid campaign: low-cost disruptive access, public fear generation, and probing of Western infrastructure resilience.
Assessment: Russian-linked activity is more sabotage-oriented than Iranian activity. Threat levels are high in Europe and NATO-adjacent states, and moderate-to-high in exposed U.S. municipal water systems.
China: The Quiet Pre-Positioners
China’s approach is strategically different from Iran and Russia. Rather than demonstrate immediate effects, Chinese state-backed actors focus on durable access, reconnaissance, and strategic pre-positioning.
In February 2024, CISA, NSA, FBI, and allied agencies confirmed that Volt Typhoon had compromised IT environments across multiple U.S. critical infrastructure sectors, including water and wastewater, communications, energy, and transportation . The advisory assessed that the activity was intended to enable disruptive or destructive effects during a future crisis or kinetic conflict.
The same year, the EPA distributed an alert to more than 60,000 water and wastewater systems regarding Volt Typhoon and coordinated cybersecurity assistance for water infrastructure supporting U.S. defense-critical facilities .
Dragos and Mandiant reporting identified 300+ days of persistence in a Massachusetts utility with OT reconnaissance activity . This is not about short-term disruption; it’s about having options when geopolitical tensions escalate.
Assessment: PRC water-sector targeting represents a severe strategic threat, though the risk of short-term disruption remains lower than with Iranian or Russian activity.
The Systematic Vulnerabilities That Enable It All
What makes these campaigns possible is not sophisticated zero-day exploits. It’s the same laundry list of basic security failures repeated across thousands of utilities:
- Internet-facing HMIs and PLCs: control systems exposed directly to the public internetÂ
- Weak or default credentials: nearly 70% of water utilities inspected in 2024 violated basic standards like changing default passwordsÂ
- Exposed remote-access tools: SSH, RDP, and vendor access points left open
- Shared operator accounts: no individual accountability
- Unsupported legacy systems: aging infrastructure running outdated, unpatched software
- Limited monitoring: no visibility into OT network activity
- Poor IT/OT segmentation: flat networks allowing attackers to move from billing systems to pump controlsÂ
The U.S. water sector includes roughly 150,000 to 170,000 water and wastewater systems, many operating with limited resources, voluntary security adoption, and uneven cyber maturity . This structure makes the sector easy to probe, difficult to standardize, and attractive to state actors seeking leverage, visibility, and disruption opportunities.
Criminal Ransomware: The Preview of State Threats
While nation-state activity dominates headlines, criminal ransomware incidents deserve attention not just for their financial impact, but because they demonstrate the same weaknesses a state actor could exploit with more patience, planning, and operational intent.
In October 2024, American Water disclosed a cyber incident that affected customer-facing and billing systems but not water or wastewater operations . Veolia North America reported a January 2024 ransomware incident that disrupted back-end systems, while treatment operations remained unaffected .
Other cases moved closer to operational risk. Arkansas City, Kansas, shifted its water treatment facility to manual operations after a September 2024 cyber incident . Minot, North Dakota, did the same in March 2026 after ransomware affected a server tied to the water treatment environment . In both cases, water remained safe, but operators had to rely on fallback procedures.
These incidents matter because they show that state actors don’t need custom ICS malware to create risk. Billing systems, customer portals, GIS repositories, vendor access, remote administration, identity systems, backups, and SCADA-adjacent servers can all provide useful access or intelligence .
The MEA Connection: Why This Matters Beyond the West
While much of the documented activity has focused on the U.S. and Europe, the implications for the Middle East and Africa are equally pressing.
Water scarcity has long been a regional flashpoint in the Middle East. From the Nile to the Tigris-Euphrates to the Jordan River basin, water is a source of both life and conflict. The weaponization of water systems through cyber means introduces a new and destabilizing dimension to these tensions.
Iran’s history of targeting Israeli water and wastewater control systems – including a 2020 attack that attempted to manipulate SCADA systems during a heat wave – demonstrates the region’s vulnerability . If such attacks were to succeed, the physical and psychological impact could be catastrophic, particularly in water-stressed nations already grappling with drought and infrastructure challenges.
In Africa, rapid digitization of water and energy infrastructure has outpaced cybersecurity investment. The same vulnerabilities exposed HMIs, weak credentials, lack of monitoring are widespread across the continent. As state and state-aligned actors expand their operations beyond traditional Western targets, African utilities risk becoming soft targets in a global cyber conflict they never signed up for.
Saintynet Cybersecurity has been monitoring these emerging threats and offers specialized training and security services for critical infrastructure operators across the MEA region. Proactive threat hunting, OT security assessments, and incident response planning can help utilities avoid becoming the next headline.
Strategic Assessment: The Future of Water-System Targeting
The last two years show clear segmentation among state-sponsored actors:
- Iran: Maximizes ideological and psychological impact through visible signaling and propaganda
- Russia: Treats water and dam systems as part of sabotage-oriented hybrid warfare
- China: Targets water infrastructure for strategic pre-positioning and long-term persistence
The near-term risk is not a Stuxnet-class attack. It is a low-complexity compromise of exposed OT that causes local disruption, unsafe operations, or panic . The larger strategic risk is quiet PRC-style persistence inside water-sector IT and OT-adjacent networks that could be used during a geopolitical crisis, such as kinetic conflict between the U.S. and China over Taiwan.
The most likely future is not a catastrophic “cyber Pearl Harbor.” It is persistent low-level access, intermittent disruption, coercive signaling, information operations, and pre-positioning for broader confrontations .
10 Actions Security Teams Must Take Now
Based on the patterns observed across Iranian, Russian, and Chinese operations, organizations operating water and wastewater systems should prioritize:
- Remove internet-facing HMIs and PLCs immediately. If remote access is necessary, require VPN with MFA and IP allowlisting .
- Change all default credentials and enforce strong password policies. The 70% violation rate on basic password hygiene is unacceptable .
- Implement multi-factor authentication (MFA) for all remote access paths, including vendor connections .
- Segment IT and OT networks. Prevent attackers from moving from compromised billing systems to operational controls .
- Deploy OT-specific monitoring and visibility tools. You cannot defend what you cannot see .
- Conduct regular cybersecurity gap and vulnerability assessments. Prioritize findings based on risk .
- Develop and regularly test incident response, business continuity, and disaster recovery plans with all relevant stakeholders .
- Review and enforce access management policies. Ensure employees have access only to systems and databases necessary for their roles .
- Assess third-party and vendor cybersecurity practices supply chain risk is a primary vector for water-system compromise .
- Report incidents to relevant authorities CISA, EPA, and national agencies rely on incident data to identify and respond to emerging threats .
Conclusion: A Call to Action for the Global Community
State and state-aligned actors treat water and wastewater infrastructure as strategic pressure points. The value is primarily psychological and political rather than kinetic. Even limited access or brief disruptions can trigger disproportionate reactions because water is tied directly to public health, trust, and government competence.
But the window for action is closing. With 2024 seeing a 146% increase in sites suffering physical impairment of operations due to cyber attacks – and nation-state attacks with physical consequences tripling compared to the previous year – the water sector is in the crosshairs .
The solution is not more cybersecurity spending in the abstract. It is targeted, practical investment in the fundamentals: removing internet-exposed HMIs, enforcing MFA, segmenting networks, and building a culture of security across the entire utility workforce.
Saintynet Cybersecurity provides end-to-end cybersecurity solutions for critical infrastructure operators, from OT security assessments to incident response and workforce training. In an era where water systems have become weapons of war, proactive defense is not optional it’s survival.
