Nation-state threat actors continue to attack systems that regulate, distribute, and protect water, but adversary objectives in these attacks can be more complex than they might first appear.
That’s according to threat intelligence provider DomainTools, which on June 25 published research concerning recent nation-state targeting of water systems as far back as 2024. The research carried particular focus on how and why cyber adversaries are going after the infrastructure.
The intersection of “cyberattacks” and “water systems” is inherently alarming, as it calls to mind “cyber Pearl Harbor” scenarios where criminals attempt to stop the flow of, or poison, a community’s water supply. Causing civilian casualties is usually not a direct aim of these attacks and, like the 2021 attack on the Oldsmar, Fla., water treatment facility showed, many modern water systems have safeguards to ensure tainted water never reaches a community’s populace. That, of course, doesn’t mean it can’t happen, nor that cyberattacks can’t have an impact on human mortality.
DomainTools’ report reinforces that nation-state attacks on water systems, like all critical infrastructure, continues apace. For example, in 2025 the head of Norway’s counter-intelligence agency blamed Russia for an attack on a floodgate that dumped 400 liters of water per second for four hours.
The Water-Targeting Tactics of Iran, Russia, China
The research primarily focused on attacks attributed to three countries: Iran, Russia, and China.
Iranian threat actors, such as CyberAv3ngers and other IRGC-linked groups, have been observed exploiting exposed PLCs and water control systems in countries including the US and Israel. While there was one thwarted attack in 2020 against Israel systems that could have disrupted water supply during a heat wave, researchers described Iran’s targeting overall as opportunistic and propagandistic — a vehicle to stoke public fear and media attention.
“State and state-aligned actors treat water and wastewater infrastructure as strategic pressure points. The value is primarily psychological and political rather than kinetic,” researchers said. “Even limited access or brief disruptions can trigger disproportionate reactions because water is tied directly to public health, trust, and government competence.”
Organizations should consider Iranian APTs high risk for smaller, internet-exposed utilities and moderate risk for mature segmented OT environments.
Compared to Iran, DomainTools said Russia-aligned actors are more willing to manipulate water control systems directly. Researchers cited an attack in Muleshoe, Texas, in January 2024 when state-backed attackers “accessed a remote industrial interface and caused a municipal water tank to overflow for roughly 30–45 minutes.”
“The Cyber Army of Russia Reborn claimed responsibility, and Mandiant linked the group to Sandworm, Russia’s GRU-associated destructive cyber unit,” researchers said. Overall, “Russian-linked activity is more sabotage-oriented than Iranian activity. The pattern fits Moscow’s broader hybrid campaign: low-cost disruptive access, public fear generation, and probing of Western infrastructure resilience.”
In other words, Russia is interested in the same public fear outcomes as Iran, as well as the additional benefit of potentially gaining insight into Western infrastructure. Risk is considered high for targeting in Europe and NATO-adjacent states, as well as moderate-to-high in exposed US municipal water systems.
China’s activity against water systems meanwhile centers around prolific group Volt Typhoon. CISA, the NSA, the FBI, and other agencies warned in February 2024 that Volt Typhoon had compromised critical infrastructure in the US including water and wastewater. The EPA later that year alerted more than 60,000 water and wastewater systems to the threat of the advanced persistent threat.
China’s aims are less cut and dry than Russia and Iran’s, as these attacks appear to be prepositioning access in the event of a potential future military conflict, which China is historically known for doing. “Rather than demonstrate immediate effects, Volt Typhoon’s objective is durable access, reconnaissance, and strategic pre-positioning,” the researchers said.
The threat level for long term activity like this is “severe,” Domain Tools said, with a lower risk of short-term disruption.
Water Attacks are Alarming, But Solutions Remain Straightforward
The initial access points for all these attacks were similar. Iran was observed targeting weak authentication and exposed programmable logic controllers (PLCs) and human machine interfaces (HMIs); Russia leaned on remote access compromise and poorly secured HMI interfaces; China targeted credentials, remote access compromise, poorly secured HMI interfaces, and vulnerable edge devices.
It gets even less complicated than that. Polish intelligence said in May that hackers breached five water treatment plants in the country last year, mainly through weak and default passwords and control systems exposed to the internet. Researchers described other attacks where water systems and infrastructure were targeted through billing systems, customer portals, and servers.
“These incidents matter because they show that state actors do not need custom ICS malware to create risk. Billing systems, customer portals, GIS repositories, vendor access, remote administration, identity systems, backups, and SCADA-adjacent servers can all provide useful access or intelligence,” the research blog read. “Criminal and unattributed incidents should therefore be treated as live demonstrations of the same weaknesses a state actor could exploit with more patience, planning, and operational intent.”
All to say that as alarming as cyberattacks against water, a foundational building block for life, might be, the ways threat actors are choosing to get in are not very complicated. As DomainTools put it, it’s exposed HMIs and PLCs, weak or default credentials, exposed remote access tools, shared accounts, unsupported legacy systems, limited monitoring, and poor segmentation between the OT and IT sides of the house.
Daniel Schwalbe, head of investigations and chief information security officer (CISO) at DomainTools, tells Dark Reading that the research’s findings should concern CISOs whether they’re defending water systems or not, as many of the systems described, like HMIs and SCADA systems, are present in many environments. He says organizations should check for IT shadow issues and ensure security teams are evaluating and securing the fundamentals.
That said, traditional security controls and the basics should be the starting point, not the finish line — particularly when talking about OT environments.
“Traditional controls eliminate general low-hanging fruit and impose cost on threat actors that may simply move on to a less-guarded environment, but OT-specific activity is a specialized problem,” Schwalbe explains. “Detection here often involves a deeper expertise in the operational landscape to understand how the network baseline will differ, and that can be expensive both in terms of logging and automated analysis as well as the organization maintaining employees with appropriate engineering and incident response experience. I’d never suggest general controls could reasonably cover an OT-specific network, but rather that the approach needs to start with those general controls and then build upon them within the operational context.”

No responses yet