Skip to main content
Back to Research
Operational Technology
ICS
Critical Infrastructure

Threat Intelligence Report: Nation-State Targeting of Water Systems 2024–2026

Published on: 
June 25, 2026

Executive Summary

Water and wastewater systems have become favored gray-zone targets because they are highly vulnerable and hold disproportionate strategic value. The combination of chronic underinvestment and weak baseline operational technology (OT) security make many of these critical systems easy to compromise. Such intrusions can have both physical and psychological impact, and disruptions often affect civilian life, public health, and trust in government. 

Recent nation-state cyber activity targeting water systems includes Iranian IRGC-linked targeting of exposed programmable logic controllers (PLCs), Russian and pro-Russian access to municipal water-control environments, and PRC-linked pre-positioning in U.S. critical infrastructure, including water and wastewater systems. U.S. federal agencies, including CISA, FBI, NSA, and EPA, have warned that many utilities remain exposed through internet-facing human-machine interfaces (HMIs) and PLCs, weak credentials, shared accounts, legacy devices, limited monitoring, and poor IT/OT segmentation.

Operations targeting water systems fit a modern hybrid warfare doctrine that has become increasingly dominant in recent years. Russia, China, and Iran all use cyber access primarily as a shaping tool, not a destructive weapon. Water-system access specifically can create fear, test response thresholds, consume emergency resources, and provide leverage during crises. Each nation puts their unique twist on their operations. Russia tends to pair infrastructure access with pressure and destabilization. Iran often blends symbolic retaliation, psychological signaling, and opportunistic disruption. In contrast, China places more emphasis on long-term pre-positioning and strategic persistence. 

All three models converge on the same underlying thesis: targeting civilian utilities provides strategic options.

Water Systems as Pre-War Terrain

From 2024 to 2026, water-sector targeting moved from opportunistic nuisance activity to a feature of state competition. Water systems are now pressure points used to create fear, test resilience, and prepare options before wider conflict. Specifically, threat actors have exploited internet-exposed PLCs and weak credentials to deface HMIs and make public spectacles out of their compromises.

Iran uses successful compromise of water systems for visible signaling, retaliation narratives, and propaganda, while Russia uses it for disruption, intimidation, and hybrid pressure against NATO-aligned states. Meanwhile, China focuses on quiet persistence, reconnaissance, and contingency access inside U.S. critical infrastructure. However, all of these operations are meant to serve the same purpose: setting the stage for war without crossing the threshold into open conflict.

Iran: CyberAv3ngers / IRGC-Linked PLC Targeting

Iran-linked activity has been the most direct in targeting water and wastewater systems.In April 2020, Iranian state-sponsored hackers launched a cyberattack targeting Israeli water and wastewater control systems. While this attack attempted to manipulate the SCADA systems, automated systems kicked in and thwarted the attempt. Had it succeeded, during a heat wave, it could have harmed many people. 

In December 2024, CISA reported that the IRGC-affiliated CyberAv3ngers targeted and compromised Israeli-made Unitronics Vision Series PLCs used across multiple sectors, including U.S. water and wastewater systems. The activity exploited poor authentication and exposed PLC/HMI interfaces rather than sophisticated malware delivery. Clearly this shows that the Iranian government is accustomed to the idea of attacking public infrastructure, something usually outside the bounds of conventional warfare.

In April 2026, CISA, FBI, NSA, EPA, and partner agencies issued a new advisory warning that Iranian-affiliated cyber actors were exploiting internet-facing PLCs across critical infrastructure, including water, wastewater, energy, and government facilities. The EPA separately framed the advisory as a water-sector resilience warning, stressing that national security depends on water systems reporting incidents and hardening exposed OT assets.

Assessment: While Iran has demonstrated the ability to access exposed control devices, deface HMIs, and create public fear, the public evidence of their activity still points more toward opportunistic OT access than reliable cyber-physical sabotage at scale.

Primary TTPs

Threat level: High for exposed small and mid-sized utilities; moderate for mature utilities with segmented OT.

Russia: Pro-Russian Hacktivist and Sandworm-Adjacent Water Disruption

Russia-aligned actors have shown a willingness to use their access to manipulate water-control systems directly. In Mulshoe, Texas in January 2024, attackers accessed a remote industrial interface and caused a municipal water tank to overflow for roughly 30–45 minutes. The Cyber Army of Russia Reborn claimed responsibility, and Mandiant linked the group to Sandworm, Russia’s GRU-associated destructive cyber unit.


A little over a year later, in April 2025, attackers seized control of a dam in Bremanger, Norway. They opened a floodgate, releasing roughly 500 liters of water per second for four hours before the incident was stopped. Norway’s counterintelligence chief publicly blamed Russia-linked actors for the intrusion.

Assessment: Russian-linked activity is more sabotage-oriented than Iranian activity. The pattern fits Moscow’s broader hybrid campaign: low-cost disruptive access, public fear generation, and probing of Western infrastructure resilience. 

Primary TTPs

Threat level: High in Europe and NATO-adjacent states; moderate-to-high in exposed U.S. municipal water systems.

China: Volt Typhoon Pre-Positioning in Water and Wastewater Networks

In February 2024, CISA, NSA, FBI, and allied agencies confirmed that Volt Typhoon had compromised IT environments across multiple U.S. critical infrastructure sectors, including water and wastewater, communications, energy, and transportation. The advisory assessed that the activity was intended to enable disruptive or destructive effects during a future crisis or kinetic conflict.

The same year, the EPA distributed an alert to more than 60,000 water and wastewater systems regarding Volt Typhoon and coordinated cybersecurity assistance for water infrastructure supporting U.S. defense-critical facilities.

Assessment: PRC water-sector targeting is strategically different from Iran and Russia. Rather than demonstrate immediate effects, Volt Typhoon’s  objective is durable access, reconnaissance, and strategic pre-positioning. 

Primary TTPs

Threat level: Severe strategic threat; lower risk of short-term disruption.

Poland and European Water-System Exposure

A May 2026 report released by the Polish Intelligence Service stated that hackers breached five Polish water treatment plants in 2025. The threat actors leveraged weak/default passwords and internet-exposed control systems. Once inside  ICS controlling pumps and filters, they had the ability to alter chemical-dosing parameters. The attacks were never attributed to a specific nation-state or threat actor; however, the same intelligence report alluded to prior Russian and Belarusian hybrid operations against Polish infrastructure.

Assessment: Poland is a high-priority target because of its role as a NATO logistics hub for Ukraine. Even unattributed water-system intrusions in Poland should be assessed against Russian hybrid-warfare objectives: intimidation, disruption, reconnaissance, and resilience testing.

Threat level: High for this region downrange from Russia.

Major Non-Attributed Water-Sector Incidents Relevant to State Threat Modeling

American Water disclosed a cyber incident in October 2024 that affected customer-facing and billing systems, but not water or wastewater operations. Veolia North America reported a January 2024 ransomware incident that disrupted back-end systems and online bill payment, while treatment operations remained unaffected. Southern Water in the United Kingdom was also claimed by Black Basta, with customer and employee data at risk but no reported operational impact.

Other cases moved closer to operational risk. Arkansas City, Kansas shifted its water treatment facility to manual operations after a September 2024 cyber incident. Minot, North Dakota did the same in March 2026 after ransomware affected a server tied to the water treatment environment. In both cases, water remained safe, but operators had to rely on fallback procedures.

These incidents matter because they show that state actors do not need custom ICS malware to create risk. Billing systems, customer portals, GIS repositories, vendor access, remote administration, identity systems, backups, and SCADA-adjacent servers can all provide useful access or intelligence. Criminal and unattributed incidents should therefore be treated as live demonstrations of the same weaknesses a state actor could exploit with more patience, planning, and operational intent.

Common Vulnerabilities Exploited Across Cases

Water-sector targeting repeatedly converges on the same weaknesses: 

  • Internet-facing HMIs and PLCs, 
  • Weak or default credentials, 
  • Exposed remote-access tools, 
  • Shared operator accounts, 
  • Unsupported legacy systems, 
  • Limited monitoring,
  • Poor segmentation between IT and OT networks. 

These gaps give actors simple access paths into systems that control pumps, valves, filters, chemical dosing, and alarms.

Reporting from the EPA and Government Accountability Office (GAO) shows that this is a systemic risk, not a one-off failure. The U.S. water sector includes roughly 170,000 water and wastewater systems, many of which operate with limited resources, voluntary security adoption, and uneven cyber maturity. This structure makes the sector easy to probe, difficult to standardize, and attractive to state and state-aligned actors seeking leverage, visibility, and disruption opportunities.


Strategic Assessment

The last two years show clear segmentation among state-sponsored and state-aligned actors. Iran uses water system intrusions to maximize ideological and psychological impact. Russia treats water and dam systems as part of sabotage-oriented hybrid warfare. China targets water infrastructure for strategic pre-positioning.

The near-term risk is not a Stuxnet-class attack. It is a low-complexity compromise of exposed OT that causes local disruption, unsafe operations, or panic. The larger strategic risk is quiet PRC-style persistence inside water-sector IT and OT-adjacent networks that could be used during a geopolitical crisis, such as kinetic conflict between the U.S. and China over Taiwan.

Conclusion

State and state-aligned actors treat water and wastewater infrastructure as strategic pressure points. The value is primarily psychological and political rather than kinetic. Even limited access or brief disruptions can trigger disproportionate reactions because water is tied directly to public health, trust, and government competence.

The most likely future is not a catastrophic “cyber Pearl Harbor.” It is persistent low-level access, intermittent disruption, coercive signaling, information operations, and pre-positioning for broader confrontations. 

Appendix A: Indicators of Compromise and Detection Artifacts

Iran: CyberAv3ngers / Iranian-Affiliated PLC Targeting

Indicator Type Year Relevance
135.136.1[.]133 IP addressMarch 2026 Used by Iranian-affiliated APT actors to communicate with Rockwell Automation / Allen-Bradley PLCs
185.82.73[.]162 IP addressJan 2025–Mar 2026Same
185.82.73[.]164 IP addressJan 2025–Mar 2026Same
185.82.73[.]165 IP addressJan 2025–Mar 2026Same
185.82.73[.]167 IP addressJan 2025–Mar 2026Same
185.82.73[.]168 IP addressJan 2025–Mar 2026Same
185.82.73[.]170 IP addressJan 2025–Mar 2026Same
185.82.73[.]171 IP addressJan 2025–Mar 2026Same

CISA, FBI, NSA, EPA, DOE, and U.S. Cyber Command reported that Iranian-affiliated actors used overseas infrastructure to access internet-facing Rockwell Automation / Allen-Bradley PLCs, including CompactLogix and Micro850 devices, and that activity resulted in project-file extraction, HMI / SCADA data manipulation, operational disruption, and financial loss. (Internet Crime Complaint Center)

Iran: Ports, Devices, and Tools

Indicator / Artifact Type Relevance
TCP/44818 OT protocol port EtherNet/IP / Rockwell Automation communications
TCP/2222 OT protocol port EtherNet/IP implicit messaging
TCP/102 OT protocol port Siemens S7 communications
TCP/502 OT protocol port Modbus/TCP
TCP/22 Remote access port SSH access; Dropbear SSH observed on victim endpoints
Dropbear SSH Tool Used for remote access persistence through port 22
Studio 5000 Logix Designer Legitimate engineering software Used to connect to and interact with exposed Rockwell PLCs
.ACD project files Rockwell project artifact Targeted / extracted project files containing ladder logic and configuration

The April 2026 joint advisory specifically called out malicious traffic to ports 44818, 2222, 102, 22, and 502, and noted Dropbear SSH deployment for remote access. (Internet Crime Complaint Center)

Iran: 2023 Unitronics / CyberAv3ngers Artifacts

Indicator / Artifact Type Relevance
Unitronics Vision Series PLCsTargeted product familyIsraeli-made PLC/HMI platform used in water, wastewater, energy, food, beverage, manufacturing, and healthcare
Default credentialsAccess conditionCore compromise vector
"You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target."Defacement textHMI/PLC defacement message reported in 2023 activity

The earlier joint advisory reported IRGC-affiliated CyberAv3ngers targeting Unitronics Vision Series PLCs, commonly used in U.S. water and wastewater systems, and compromising devices using default credentials.

Russia: Cyber Army of Russia Reborn / Sandworm-Adjacent Activity

Indicator / Artifact Type Relevance
Cyber Army of Russia Reborn / CARR Actor persona Claimed water-system manipulation activity in Texas and Europe
Telegram claim videos Influence artifact Public proof-of-access / propaganda amplification
HMI screen recordings Operational artifact Demonstrated interaction with water-control interfaces
Water-level / stop-level manipulation Process-control behavior Associated with Muleshoe / Abernathy water tank incidents
SCADA / HMI access to small municipal utilitiesTargeting pattern Low-resource water utilities used as disruption targets

Mandiant linked CARR to Sandworm-associated infrastructure and personas, while Treasury reported that CARR claimed responsibility for overflowing water storage tanks in Abernathy and Muleshoe, Texas, and posted video of HMI manipulation. (CyberScoop)

Norway and Poland Exposure Artifacts

Indicator / Artifact Type Relevance
Bremanger / Risevatnet dam floodgate manipulationProcess-control behavior Floodgate opened, releasing roughly 500 liters per second for four hours
Weak/default passwords Access condition Reported as common vector in European water incidents
Internet-exposed control systems Exposure condition Reported vector in Polish water treatment plant breaches
Pump, filter, and chemical-dosing control accessProcess-control exposure Relevant to Polish water treatment plant incident reporting

Reuters reported that Norway’s counterintelligence chief blamed Russian hackers for the April 2025 Bremanger dam incident. TNW and SecurityWeek reported that Polish water treatment plant breaches involved weak passwords and internet-exposed control systems; attribution remains unconfirmed for those Polish incidents. (Reuters)

China: Volt Typhoon Behavioral IOCs

Indicator / Artifact Type Relevance
wmic / WMIC Native Windows tool Process creation, discovery, credential-access workflows
ntdsutil.exe Native Windows tool Active Directory database extraction
ntds.dit Credential artifact Domain credential database targeted for exfiltration
SYSTEM registry hive Credential artifact Used with ntds.dit for password hash extraction
SECURITY registry hive Credential artifact Credential and policy data
netsh interface portproxy Native Windows tool Port forwarding / proxying for persistence and C2
PowerShell Native Windows tool Execution, discovery, and administration abuse
Compromised SOHO routers Infrastructure Proxying and operational obfuscation
C:\Windows\Temp\ Host artifact path Staging location observed in advisory examples
C:\Users\Public\ Host artifact path Staging location observed in advisory examples
ADMIN$ share output redirection Windows admin artifact Used in command execution / remote activity

NSA and partner agencies reported Volt Typhoon’s living-off-the-land model using built-in tools including wmic, ntdsutil, netsh, and PowerShell; the same advisory included examples of ntds.dit extraction, registry hive collection, and portproxy abuse.

Appendix B: MITRE ATT&CK Mapping

Actor / Stream Tactic Technique ID Observed / Assessed Use
Iran / CyberAv3ngers Initial Access Internet Accessible Device T0883 Accessed publicly exposed PLCs without sufficient network hardening
Iran / CyberAv3ngers Command and Control Commonly Used Port T0885 Used OT ports including 44818, 2222, 102, 502, and SSH on 22
Iran / CyberAv3ngers C&C Remote Access Software T1219 Deployed Dropbear SSH for remote access
Iran / CyberAv3ngers Impact Stored Data Manipulation T1565 Interacted with project files and altered HMI / SCADA display data
Iran / CyberAv3ngers Initial Access Valid Accounts T1078 Inferred from default / weak credential abuse against PLCs
Iran / CyberAv3ngers Impact Defacement T1491 HMI/PLC defacement messaging in Unitronics activity
Russia / CARR / Sandworm-adjacent Initial Access External Remote Services T1133 Likely access through remote industrial interfaces / exposed remote control paths
Russia / CARR / Sandworm-adjacent Initial Access Valid Accounts T1078 Likely weak credential or exposed HMI access model
Russia / CARR / Sandworm-adjacent Discovery Network Service Discovery T1046 Assessed scanning / discovery of exposed water-control interfaces
Russia / CARR / Sandworm-adjacent Impact Service Stop / Process Disruption T1489 / ICS-aligned impact Manipulation of water-system process controls resulting in overflow / floodgate events
Russia / CARR / Sandworm-adjacent Impact Data Manipulation T1565 Manipulation of set points, values, and control-system displays
Russia / CARR / Sandworm-adjacent Collection / Influence Screen Capture / Public Claims T1113 / influence artifact Claim videos showed screen recordings of HMI manipulation
China / Volt Typhoon Initial Access Exploit Public-Facing Application T1190 Compromise of exposed edge devices and public-facing infrastructure
China / Volt Typhoon Defense Evasion Living-off-the-Land Multiple Use of native tools to blend with administration activity
China / Volt Typhoon Execution Windows Management Instrumentation T1047 WMIC execution for process creation and credential-access workflows
China / Volt Typhoon Credential Access OS Credential Dumping: NTDS T1003.003 Attempted extraction of ntds.dit and registry hives
China / Volt Typhoon Command and Control Proxy T1090 netsh portproxy used for forwarding / covert access
China / Volt Typhoon Execution PowerShell T1059.001 Native PowerShell use in LOTL activity
China / Volt Typhoon Discovery Account Discovery T1087 Account and environment enumeration
China / Volt Typhoon Discovery Remote System Discovery T1018 Network and host reconnaissance
China / Volt Typhoon Lateral Movement Remote Services T1021 Movement through compromised internal environments
China / Volt Typhoon Collection Archive Collected Data T1560 Staging and compression of collected data, including 7z examples
China / Volt Typhoon Defense Evasion Impair Defenses T1562 Avoidance of EDR visibility through native tooling and low-noise operations
Poland / Unattributed Initial Access Internet Accessible Device T0883 Internet-exposed ICS used as access path
Poland / Unattributed Initial Access Valid Accounts T1078 Weak/default passwords
Poland / Unattributed Impact Data Manipulation T1565 Potential manipulation of pump, filter, and dosing parameters
American Water / Unattributed Initial Access Unknown N/A Public reporting does not disclose technical access vector
American Water / Unattributed Impact Service Disruption T1489, if confirmed Customer-facing and billing systems were affected; company stated water/wastewater operations were not impacted

The Iran rows are directly mapped from AA26-097A’s ATT&CK tables; the Volt Typhoon rows are mapped from NSA/CISA/FBI partner reporting on living-off-the-land activity; the Russia and Poland rows are analytic mappings based on public incident descriptions and should be treated as lower-confidence than the official advisory mappings. (Internet Crime Complaint Center)

Related Content

Research
Threat Intelligence Report: Russia, Router, DNS, and Messaging-Layer Collection Operations

New research exposes Russian GRU (APT28) cyber operations using router compromise, DNS hijacking, and Signal/WhatsApp phishing for long-term espionage.

Learn More
Research
Threat Intelligence Report: ZionSiphon OT Malware First Attempts? Psyops? Both?

Analysis of ZionSiphon (SCADA_SecurityPatch_v8.4.exe), a .NET OT malware targeting Israeli water utilities. Discover its IOCs, targets, and flawed activation code.

Learn More
Research
Threat Intelligence Report: The SDA / Structura / Doppelgänger, Influence Operations, Infrastructure, Reach, and Potential

How does the Doppelgänger influence campaign reach 5M+ users? Read DTI’s latest report on the SDA/Structura ecosystem, featuring a deep dive into narrative propagation, domain rotation tactics, and a 72-hour crisis influence timeline.

Learn More

Heading

SecuritySnacks
Research
Newsletters
Podcast Episodes
About
No items found.