Nation-state attackers from Iran, Russia, and China have been targeting water systems around the world for sabotage purposes. According to a recent report by DomainTools, these attacks are often carried out through low-tech means, such as exploiting weak passwords or exposing Programmable Logic Controllers (PLCs), rather than sophisticated malware.
The threat intelligence provider has been tracking nation-state activity against water systems since 2024 and has identified three countries: Iran, Russia, and China. While the motivations behind these attacks may seem straightforward – causing chaos and disruption to critical infrastructure – researchers say that there’s more to it. In many cases, the aim is not just to cause physical harm or damage to property but also to create psychological and political pressure.
Iranian threat actors have been observed exploiting exposed PLCs and water control systems in countries including the US and Israel. According to DomainTools, Iran’s targeting of water systems can be described as opportunistic and propagandistic – a way to stoke public fear and media attention. State and state-aligned actors view water and wastewater infrastructure as strategic pressure points, with the primary value being psychological and political rather than kinetic.
Iranian threat actors are considered high risk for smaller internet-exposed utilities and moderate risk for mature segmented OT environments. In contrast, Russia-aligned actors have been more willing to manipulate water control systems directly, causing disruptions such as an overflow in a municipal water tank in Muleshoe, Texas, in January 2024. The Cyber Army of Russia Reborn claimed responsibility for the attack, which was linked to Sandworm, Russia’s GRU-associated destructive cyber unit.
Russia’s objectives in targeting water systems are similar to those of Iran – creating public fear and probing Western infrastructure resilience. However, Moscow is also interested in gaining insight into Western infrastructure. Risk is considered high for targeting in Europe and NATO-adjacent states as well as moderate-to-high in exposed US municipal water systems.
China’s activity against water systems centers around the prolific group Volt Typhoon. CISA, the NSA, the FBI, and other agencies warned in February 2024 that Volt Typhoon had compromised critical infrastructure in the US, including water and wastewater. The EPA later that year alerted over 60,000 water and wastewater systems to the threat of this advanced persistent threat.
The fact that these attacks are often carried out through low-tech means should not give comfort to water system operators or authorities. These tactics can still cause significant disruption and have real-world consequences. As DomainTools researchers noted, “Even limited access or brief disruptions can trigger disproportionate reactions because water is tied directly to public health, trust, and government competence.”
The takeaway for readers is clear: water system security must be a top priority for both operators and governments. This includes implementing robust cybersecurity measures such as multi-factor authentication, segmenting OT environments, and regularly updating software and firmware. It also means being aware of nation-state activity and taking steps to prevent or mitigate the impact of attacks.
Source: Dark Reading — 2026-06-29