DEV Community

Etairos.ai
Etairos.ai

Posted on • Originally published at threat-intelligence.redeyesecurity.com

Iran, Russia, and China Are Probing US Water Systems for Sabotage

#cybersecurity #infosec #security

TL;DR

  • what: Iranian, Russian, and Chinese state-aligned groups are actively probing and breaching US and allied water and wastewater control systems.
  • impact: Attackers have manipulated HMIs and PLCs at multiple small utilities, demonstrating the ability to alter chemical dosing, pressure, and pump operations.
  • fix: Remove OT/HMI devices from the public internet, kill vendor default and shared credentials, enforce MFA on remote access, and segment IT from OT per CISA and EPA guidance.
  • who: The 150,000-plus public water systems in the US, especially small rural utilities with few staff and flat networks, plus allied operators abroad.

Iran, Russia, and China are no longer just spying on water infrastructure. Threat groups tied to all three are actively probing, breaching, and in some cases manipulating the control systems that run US and allied water and wastewater utilities. The goal is shifting from intelligence collection to pre-positioning for sabotage, and the targets are the least defended operators in critical infrastructure.

The US has more than 150,000 public water systems. The vast majority are small, rural, and run by a handful of people. Many expose human-machine interfaces (HMIs) and programmable logic controllers (PLCs) directly to the internet, secured by nothing more than a vendor default password. That combination, low budget, flat networks, and exposed OT, is exactly what makes water the softest target in the sixteen critical infrastructure sectors.

Three actors, three motives

Iran-aligned groups, including the IRGC-linked CyberAv3ngers, have hit utilities running Israeli-made Unitronics PLCs, defacing HMIs and disrupting operations as politically motivated retaliation. Russia-aligned hacktivists have manipulated control systems at water and wastewater sites to cause tank overflows and pump malfunctions, treating utilities as cheap, high-visibility pressure points. China's Volt Typhoon is the most strategic of the three, quietly embedding in critical networks to hold access for a future conflict rather than to make noise today.

⚠️ This is pre-positioning, not noise — China's Volt Typhoon activity is not opportunistic. CISA assesses these intrusions are designed to maintain persistent, stealthy access so the actor can disrupt or destroy services during a geopolitical crisis. Access established today is the weapon staged for later.

How they get in

None of this requires advanced exploits. The intrusions documented so far lean on the cheapest possible attack paths, which is what makes them repeatable at scale across thousands of small utilities.

  • Internet-exposed HMIs and PLCs reachable by a simple Shodan-style scan
  • Vendor default and factory-set passwords that were never changed
  • Shared or reused credentials with no multi-factor authentication
  • Remote access tools and VPNs left open for contractors and integrators
  • Flat networks where IT and OT sit on the same segment with no separation

What sabotage actually looks like

Manipulating a water system does not require dramatic Hollywood code. An attacker with HMI access can alter chemical dosing setpoints, change pressure and flow, stop pumps, or trigger overflows. In the documented incidents, attackers proved they could reach and change these controls. Operational safeguards and manual oversight prevented public harm in the cases disclosed so far, but that margin depends on staff noticing fast, and most small utilities have no one watching the OT network at all.

The defender's advantage is still real — Every documented intrusion exploited a control that the utility could have closed for little or no money: pull OT off the public internet, change default passwords, and segment the network. These are not expensive capital projects. They are configuration changes that eliminate the entire attack class these actors rely on.

What to do now

CISA and the EPA have issued repeated advisories, and the actions they call for are unglamorous and effective. If you operate, oversee, or support a water utility, these are the priorities.

  • Get every HMI, PLC, and OT device off the public internet; if remote access is required, put it behind a VPN with MFA
  • Change all default, shared, and factory-set credentials immediately and enforce strong unique passwords
  • Segment IT from OT so a compromised business network cannot reach control systems
  • Inventory internet-exposed assets using CISA's free scanning and Shields Up guidance
  • Build and rehearse a manual-operations and incident-response plan so the plant can run if controls are lost

The bottom line

Water is being treated by three separate nation-states as a soft underbelly of US critical infrastructure, and they are right that it is poorly defended. But the same low sophistication that makes these intrusions possible also makes them preventable. Utilities that close internet exposure, kill default credentials, and segment their networks remove the exact foothold every one of these actors depends on. The clock is running, and the cheapest fixes are the ones that matter most.

Originally published on RedEye Threat Intelligence.

Top comments (0)