Iran, Russia, China Target Water Systems for Sabotage

ICS/OT SECURITY CYBER RISK PHYSICAL SECURITY THREAT INTELLIGENCE NEWS Iran, Russia, China Target Water Systems for Sabotage Nation-state attackers breach water systems through weak passwords, exposed PLCs, and poor segmentation — not sophisticated malware. Alexander Culafi,Senior News Writer,Dark Reading June 29, 2026 5 Min Read SOURCE: BUGTIGER VIA GETTY IMAGES Nation-state threat actors continue to attack systems that regulate, distribute, and protect water, but adversary objectives in these attacks can be more complex than they might first appear. That's according to threat intelligence provider DomainTools, which on June 25 published research concerning recent nation-state targeting of water systems as far back as 2024. The research carried particular focus on how and why cyber adversaries are going after the infrastructure. The intersection of "cyberattacks" and "water systems" is inherently alarming, as it calls to mind "cyber Pearl Harbor" scenarios where criminals attempt to stop the flow of, or poison, a community's water supply. Causing civilian casualties is usually not a direct aim of these attacks and, like the 2021 attack on the Oldsmar, Fla., water treatment facility showed, many modern water systems have safeguards to ensure tainted water never reaches a community's populace. That, of course, doesn't mean it can't happen, nor that cyberattacks can't have an impact on human mortality.  Related:Patch Now: Critical Flaw in OT Robot OS Gives Attackers Control DomainTools' report reinforces that nation-state attacks on water systems, like all critical infrastructure, continues apace. For example, in 2025 the head of Norway's counter-intelligence agency blamed Russia for an attack on a floodgate that dumped 400 liters of water per second for four hours.  The Water-Targeting Tactics of Iran, Russia, China The research primarily focused on attacks attributed to three countries: Iran, Russia, and China. Iranian threat actors, such as CyberAv3ngers and other IRGC-linked groups, have been observed exploiting exposed PLCs and water control systems in countries including the US and Israel. While there was one thwarted attack in 2020 against Israel systems that could have disrupted water supply during a heat wave, researchers described Iran's targeting overall as opportunistic and propagandistic — a vehicle to stoke public fear and media attention.  "State and state-aligned actors treat water and wastewater infrastructure as strategic pressure points. The value is primarily psychological and political rather than kinetic," researchers said. "Even limited access or brief disruptions can trigger disproportionate reactions because water is tied directly to public health, trust, and government competence." Organizations should consider Iranian APTs high risk for smaller, internet-exposed utilities and moderate risk for mature segmented OT environments.  Compared to Iran, DomainTools said Russia-aligned actors are more willing to manipulate water control systems directly. Researchers cited an attack in Muleshoe, Texas, in January 2024 when state-backed attackers "accessed a remote industrial interface and caused a municipal water tank to overflow for roughly 30–45 minutes." Related:Taiwan Bullet Train Hack Highlights Cybersecurity Gaps in Rail Systems "The Cyber Army of Russia Reborn claimed responsibility, and Mandiant linked the group to Sandworm, Russia’s GRU-associated destructive cyber unit," researchers said. Overall, "Russian-linked activity is more sabotage-oriented than Iranian activity. The pattern fits Moscow’s broader hybrid campaign: low-cost disruptive access, public fear generation, and probing of Western infrastructure resilience." In other words, Russia is interested in the same public fear outcomes as Iran, as well as the additional benefit of potentially gaining insight into Western infrastructure. Risk is considered high for targeting in Europe and NATO-adjacent states, as well as moderate-to-high in exposed US municipal water systems.  China's activity against water systems meanwhile centers around prolific group Volt Typhoon. CISA, the NSA, the FBI, and other agencies warned in February 2024 that Volt Typhoon had compromised critical infrastructure in the US including water and wastewater. The EPA later that year alerted more than 60,000 water and wastewater systems to the threat of the advanced persistent threat.  Related:AI-Driven Cyberattack on Mexico Couldn't Breach OT Systems China's aims are less cut and dry than Russia and Iran's, as these attacks appear to be prepositioning access in the event of a potential future military conflict, which China is historically known for doing. "Rather than demonstrate immediate effects, Volt Typhoon's objective is durable access, reconnaissance, and strategic pre-positioning," the researchers said. The threat level for long term activity like this is "severe," Domain Tools said, with a lower risk of short-term disruption. Water Attacks are Alarming, But Solutions Remain Straightforward The initial access points for all these attacks were similar. Iran was observed targeting weak authentication and exposed programmable logic controllers (PLCs) and human machine interfaces (HMIs); Russia leaned on remote access compromise and poorly secured HMI interfaces; China targeted credentials, remote access compromise, poorly secured HMI interfaces, and vulnerable edge devices. It gets even less complicated than that. Polish intelligence said in May that hackers breached five water treatment plants in the country last year, mainly through weak and default passwords and control systems exposed to the internet. Researchers described other attacks where water systems and infrastructure were targeted through billing systems, customer portals, and servers. "These incidents matter because they show that state actors do not need custom ICS malware to create risk. Billing systems, customer portals, GIS repositories, vendor access, remote administration, identity systems, backups, and SCADA-adjacent servers can all provide useful access or intelligence," the research blog read. "Criminal and unattributed incidents should therefore be treated as live demonstrations of the same weaknesses a state actor could exploit with more patience, planning, and operational intent." All to say that as alarming as cyberattacks against water, a foundational building block for life, might be, the ways threat actors are choosing to get in are not very complicated. As DomainTools put it, it's exposed HMIs and PLCs, weak or default credentials, exposed remote access tools, shared accounts, unsupported legacy systems, limited monitoring, and poor segmentation between the OT and IT sides of the house.  Daniel Schwalbe, head of investigations and chief information security officer (CISO) at DomainTools, tells Dark Reading that the research's findings should concern CISOs whether they're defending water systems or not, as many of the systems described, like HMIs and SCADA systems, are present in many environments. He says organizations should check for IT shadow issues and ensure security teams are evaluating and securing the fundamentals. That said, traditional security controls and the basics should be the starting point, not the finish line — particularly when talking about OT environments. "Traditional controls eliminate general low-hanging fruit and impose cost on threat actors that may simply move on to a less-guarded environment, but OT-specific activity is a specialized problem," Schwalbe explains. "Detection here often involves a deeper expertise in the operational landscape to understand how the network baseline will differ, and that can be expensive both in terms of logging and automated analysis as well as the organization maintaining employees with appropriate engineering and incident response experience. I'd never suggest general controls could reasonably cover an OT-specific network, but rather that the approach needs to start with those general controls and then build upon them within the operational context." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere.  At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels. He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The State of Cloud Security: The Latest Challenges The total economic impact™ of Snyk How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Access More Research Webinars Practical Zero Trust Implementation on a Budget in the Age of Mythos Building a Risk Based Vulnerability Management Program Threat Hunting That Gets Big Results Despite Small Budgets Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication More Webinars You May Also Like ICS/OT SECURITY Vehicle Tire Pressure Sensors Enable Silent Tracking by Jai Vijayan MAR 03, 2026 ICS/OT SECURITY Trio of Critical Bugs Spotted in Delta Industrial PLCs by Nate Nelson, Contributing Writer JAN 15, 2026 ICS/OT SECURITY AI in OT Sparks Cascade of Complex Challenges by Arielle Waldman DEC 11, 2025 ICS/OT SECURITY Critical Railway Braking Systems Open to Tampering by Nate Nelson, Contributing Writer NOV 19, 2025 Editor's Choice CYBERSECURITY OPERATIONS Do CISOs Need a Code of Ethics? byDark Reading Editorial Team JUN 24, 2026 CYBERSECURITY OPERATIONS 2026 FIFA World Cup Faces Surge in Cyber Threats byAlexander Culafi JUN 24, 2026 3 MIN READ CYBERSECURITY OPERATIONS EU Gets a Head Start in Developing 6G Network Security byNate Nelson JUN 18, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS