State-Backed Hackers Target Water Utilities in U.S. and Europe, Exploiting Basic Security Flaws
Since 2024, water and wastewater infrastructure across the U.S. and Europe has faced a surge in cyberattacks by nation-state actors, marking a shift from opportunistic breaches to deliberate strategic targeting. Iran, Russia, and China have exploited weak security in critical systems, using them as leverage in geopolitical conflicts rather than causing immediate mass disruption.
Key Incidents and Tactics
- Iran-linked CyberAv3ngers exploited default credentials on Unitronics Vision Series PLCs in U.S. water systems, with attacks confirmed by CISA in December 2024 and ongoing through 2026. The group targeted exposed industrial control ports (e.g., TCP/44818, TCP/2222) and used Dropbear SSH for remote access.
- Russia-associated actors, including the Cyber Army of Russia Reborn (linked to Sandworm), caused a 30–45-minute water tank overflow in Muleshoe, Texas, in January 2024. In April 2025, they breached a dam in Bremanger, Norway, opening floodgates for four hours, and compromised five Polish water treatment plants, where they altered chemical dosing parameters.
- China’s Volt Typhoon adopted a stealthier approach, embedding itself in U.S. water and wastewater IT networks for long-term access, positioning for potential future conflicts. The group leveraged living-off-the-land tools like wmic, ntdsutil.exe, and PowerShell to evade detection.
Common Vulnerabilities
Attackers relied on preventable security gaps, including:
- Internet-exposed PLCs and HMIs.
- Default or weak passwords and shared operator accounts.
- Poor IT/OT network segmentation.
- Unsecured remote access tools.
Impact and Response
With 170,000 water systems in the U.S. alone many underfunded and operating on outdated technology the sector remains highly vulnerable. Federal agencies (CISA, FBI, NSA, EPA) have issued repeated warnings, emphasizing the need for basic hardening measures: removing PLCs from public internet access, enforcing multi-factor authentication, and improving OT monitoring.
Indicators of compromise (IoCs) linked to these campaigns include specific IP addresses (e.g., 135.136.1[.]133), targeted network ports (TCP/502, TCP/22), and tools like Dropbear SSH and ntds.dit. Iranian actors left defacement messages on compromised HMIs, declaring Israeli-made equipment a "legal target."
Source: https://cybersecuritynews.com/hackers-exploit-weak-credentials-and-internet-facing-plcs/
Unitronics - PLC & Automation products cybersecurity rating report: https://www.rankiteo.com/company/unitronics_2
SIGA - Multi Level OT Resilience cybersecurity rating report: https://www.rankiteo.com/company/sigaotsolutions
Emvees Water | Waste Water Treatment LLC cybersecurity rating report: https://www.rankiteo.com/company/emvees-waste-water-treatment-llc
TEAMSESCO Industrial & Renewable Technology Services cybersecurity rating report: https://www.rankiteo.com/company/teamsesco
"id": "UNISIGEMVTEA1782484008",
"linkid": "unitronics_2, sigaotsolutions, emvees-waste-water-treatment-llc, teamsesco",
"type": "Cyber Attack",
"date": "1/2024",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"
{'affected_entities': [{'industry': 'Critical Infrastructure',
'location': 'Muleshoe, Texas, USA',
'name': 'Muleshoe Water System',
'type': 'Water Utility'},
{'industry': 'Critical Infrastructure',
'location': 'Bremanger, Norway',
'name': 'Bremanger Dam',
'type': 'Dam'},
{'industry': 'Critical Infrastructure',
'location': 'Poland',
'size': '5 plants',
'type': 'Water Treatment Plants'},
{'industry': 'Critical Infrastructure',
'location': 'U.S. and Europe',
'size': '170,000 systems (U.S. alone)',
'type': 'Water and Wastewater Systems'}],
'attack_vector': ['Exploiting default credentials',
'Internet-exposed PLCs/HMIs',
'Remote access tools (Dropbear SSH)',
'Living-off-the-land tools (wmic, ntdsutil.exe, '
'PowerShell)'],
'date_detected': '2024',
'date_publicly_disclosed': '2024-12',
'description': 'Since 2024, water and wastewater infrastructure across the '
'U.S. and Europe has faced a surge in cyberattacks by '
'nation-state actors, including Iran, Russia, and China. These '
'actors exploited weak security in critical systems, using '
'them as leverage in geopolitical conflicts. Key incidents '
'involved default credentials exploitation, remote access '
'tools, and poor IT/OT segmentation, leading to operational '
'disruptions and potential long-term access for future '
'conflicts.',
'impact': {'downtime': ['30–45 minutes (Muleshoe, Texas)',
'4 hours (Bremanger, Norway)'],
'operational_impact': ['Water tank overflow',
'Floodgate manipulation',
'Altered chemical dosing parameters'],
'systems_affected': ['Water and wastewater treatment systems',
'PLCs (Unitronics Vision Series)',
'Dams',
'Chemical dosing systems']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Attackers exploited preventable security gaps such as '
'default credentials, poor network segmentation, and '
'unsecured remote access tools. The incidents highlight '
'the need for basic hardening measures in critical '
'infrastructure.',
'motivation': ['Geopolitical leverage',
'Strategic positioning for future conflicts',
'Disruption of critical infrastructure'],
'post_incident_analysis': {'corrective_actions': ['Removing PLCs from public '
'internet',
'Enforcing MFA',
'Improving network '
'segmentation',
'Enhancing OT monitoring'],
'root_causes': ['Default/weak credentials',
'Poor IT/OT segmentation',
'Internet-exposed PLCs/HMIs',
'Unsecured remote access tools']},
'recommendations': ['Remove PLCs from public internet access',
'Enforce multi-factor authentication',
'Improve IT/OT network segmentation',
'Enhance OT monitoring',
'Secure remote access tools'],
'references': [{'source': 'CISA'},
{'source': 'Indicators of Compromise (IoCs)'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA, FBI, NSA, EPA '
'warnings']},
'response': {'containment_measures': ['Removing PLCs from public internet '
'access',
'Enforcing multi-factor authentication'],
'enhanced_monitoring': ['Improving OT monitoring'],
'network_segmentation': ['Improving IT/OT network segmentation'],
'remediation_measures': ['Improving OT monitoring',
'Hardening security measures']},
'stakeholder_advisories': 'Federal agencies (CISA, FBI, NSA, EPA) have issued '
'repeated warnings to water utilities about the '
'need for basic security hardening measures.',
'threat_actor': ['Iran-linked CyberAv3ngers',
'Russia-associated Cyber Army of Russia Reborn (Sandworm)',
'China’s Volt Typhoon'],
'title': 'State-Backed Hackers Target Water Utilities in U.S. and Europe, '
'Exploiting Basic Security Flaws',
'type': ['Cyber Espionage', 'Sabotage', 'Unauthorized Access'],
'vulnerability_exploited': ['Default/weak passwords',
'Shared operator accounts',
'Poor IT/OT network segmentation',
'Unsecured remote access tools',
'Exposed industrial control ports (TCP/44818, '
'TCP/2222, TCP/502, TCP/22)']}