Water utilities across the United States and Europe are under growing pressure as hackers continue to find easy ways in.
Nation-state actors and affiliated groups have been quietly exploiting internet-facing control systems and weak login credentials to access water and wastewater infrastructure — systems that millions of people depend on every day.
The threat has moved beyond isolated incidents. From 2024 to 2026, attacks on water systems shifted from opportunistic nuisance activity into a deliberate feature of state-level competition.
Countries like Iran, Russia, and China have each used access to water infrastructure as a strategic tool — not to cause mass destruction, but to send signals, test limits, and prepare for larger conflicts ahead.
Analysts at DomainTools noted in a report shared with Cyber Security News (CSN) that these intrusions are driven by a shared doctrine: targeting civilian utilities provides strategic leverage.
The report warns that water systems are now treated as pressure points, used to create fear, test emergency response thresholds, and position threat actors for future disruptions.
The attacks rely heavily on basic security failures. Threat actors have repeatedly exploited internet-facing programmable logic controllers (PLCs), weak or default passwords, shared operator accounts, poor IT/OT network segmentation, and exposed remote access tools.
These gaps require no advanced malware — just patience and an open door into an unprotected system.
PLC targeting (Source – DomainTools)
U.S. federal agencies, including CISA, FBI, NSA, and EPA, have warned that many utilities remain dangerously exposed.
The water sector includes roughly 170,000 systems nationwide, many operating with limited budgets, outdated technology, and voluntary security practices that vary widely from one facility to the next.
Hackers Exploit Weak Credentials and Internet-Facing PLCs
The most direct example came from Iranian-affiliated actors. In December 2024, CISA confirmed that a group called CyberAv3ngers, tied to Iran’s IRGC, targeted Unitronics Vision Series PLCs commonly found in U.S. water and wastewater systems.
The attackers used default factory credentials to gain entry — no special techniques were needed.
By April 2026, a joint advisory from CISA, FBI, NSA, and EPA confirmed that Iranian-linked actors were still active, exploiting internet-exposed PLCs across water, energy, and government facilities.
The advisory flagged malicious traffic targeting industrial control ports and the use of Dropbear SSH for remote access once inside.
Russia-linked groups went further. In January 2024, attackers accessed a remote industrial interface at a facility in Muleshoe, Texas, causing a municipal water tank to overflow for roughly 30 to 45 minutes.
Primary TTPs (Source – DomainTools)
The Cyber Army of Russia Reborn claimed responsibility, and investigators linked the group to Sandworm, a Russian military-associated cyber unit.
In April 2025, attackers seized control of a dam in Bremanger, Norway, opening a floodgate and releasing water for approximately four hours.
Poland also reported breaches at five water treatment plants in 2025. The attackers used weak passwords and found control systems directly exposed online.
Once inside, they had the ability to alter chemical dosing parameters — a deeply concerning capability with real potential to harm public health.
Nation-State Tactics and What Defenders Should Do
China’s Volt Typhoon group took a far quieter path. Rather than creating visible disruption, they burrowed into water and wastewater IT environments across multiple U.S. critical sectors, aiming for long-term access and strategic positioning.
According to security agencies, the goal is to have options ready if a geopolitical crisis ever escalates into open conflict.
Experts stress that criminal and unattributed incidents should also be treated seriously, since they expose the same weaknesses a state actor would exploit with far more planning.
Strategic Assessment (Source – DomainTools)
Billing portals, vendor access, GIS repositories, and SCADA-adjacent servers can all provide useful access or intelligence.
The DomainTools report recommends that water utilities take immediate steps to reduce exposure.
These include removing PLCs and HMIs from direct internet access, replacing default and shared passwords, enforcing multi-factor authentication, improving OT monitoring, and separating IT from operational control networks.
Reporting incidents to CISA and coordinating with federal partners for cybersecurity support is also strongly encouraged.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionIP Address135.136.1[.]133Iran/CyberAv3ngers-affiliated IP address (March 2026)IP Address185.82.73[.]162Iran/CyberAv3ngers-affiliated IP address (Jan 2025 – Mar 2026)IP Address185.82.73[.]164Iran/CyberAv3ngers-affiliated IP address (Jan 2025 – Mar 2026)IP Address185.82.73[.]165Iran/CyberAv3ngers-affiliated IP address (Jan 2025 – Mar 2026)IP Address185.82.73[.]167Iran/CyberAv3ngers-affiliated IP address (Jan 2025 – Mar 2026)IP Address185.82.73[.]168Iran/CyberAv3ngers-affiliated IP address (Jan 2025 – Mar 2026)IP Address185.82.73[.]170Iran/CyberAv3ngers-affiliated IP address (Jan 2025 – Mar 2026)IP Address185.82.73[.]171Iran/CyberAv3ngers-affiliated IP address (Jan 2025 – Mar 2026)Network PortTCP/44818EtherNet/IP protocol port — targeted in Iran-linked PLC attacksNetwork PortTCP/2222EtherNet/IP alternate protocol port — targeted in Iran-linked PLC attacksNetwork PortTCP/102Siemens S7 protocol port — targeted in Iran-linked PLC attacksNetwork PortTCP/502Modbus protocol port — targeted in Iran-linked PLC attacksNetwork PortTCP/22SSH remote access port — used via Dropbear SSH deploymentToolDropbear SSHLightweight SSH tool used for remote access by Iranian-affiliated actorsToolwmicNative Windows tool abused by Volt Typhoon (living-off-the-land)Toolntdsutil.exeNative Windows tool used for credential harvesting by Volt TyphoonFilentds.ditActive Directory credential artifact extracted by Volt TyphoonToolnetsh interface portproxyNative Windows portproxy tool abused for lateral movementFile PathC:\Windows\Temp\Host artifact staging path observed in Volt Typhoon activityFile PathC:\Users\Public\Host artifact staging path observed in Volt Typhoon activityShareADMIN$Windows admin share used for lateral movement outputToolPowerShellNative scripting tool used in Volt Typhoon living-off-the-land operationsMalware/ToolUserspaceSSH ToolUnsupported SSH tool — noted in advisory for remote accessSoftwareStudio 5000 Logix DesignerRockwell Automation software used in targeted ICS environmentsSoftwareMicro850 (CompactLogix)Rockwell Automation PLC models targeted by Iranian actorsToolTarprolanTalos-identified tool referenced in Volt Typhoon behavioral IOCsDefacement Text“You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.”Defacement message left on compromised HMIs by CyberAv3ngers
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Exploit Weak Credentials and Internet-Facing PLCs to Breach Water Utilities appeared first on Cyber Security News.
