Hackers Exploit Weak Credentials and Internet-Facing PLCs to Breach Water Utilities
11 min. read 
Published on
Water and wastewater utilities in the United States and Europe are facing a growing wave of cyber activity driven by weak passwords, exposed control systems, and poor separation between IT and operational technology networks.
A new DomainTools report warns that state-linked and state-aligned actors are increasingly treating water systems as pressure points. The goal is often not immediate destruction, but signaling, disruption, reconnaissance, and preparation for a wider conflict.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The pattern is clear across Iran-linked, Russia-linked, and China-linked activity. Attackers do not always need custom malware or zero-day exploits. In many cases, they find an internet-facing PLC, a human-machine interface, or a remote access tool protected by weak or default credentials.
Why Water Utilities Are Being Targeted
Water utilities run critical systems that support drinking water, wastewater treatment, hospitals, businesses, emergency services, and local communities. Any disruption can quickly become a public health and confidence issue.
The U.S. water sector is also highly fragmented. A GAO report notes that the country has nearly 170,000 drinking water and wastewater systems, many with limited resources, older technology, and voluntary cybersecurity adoption.
That makes the sector attractive to hackers. Smaller utilities may lack dedicated security staff, while older industrial systems may stay online long after their vendors or operators expected them to face internet-based threats.
| Common Weakness | Why It Matters |
|---|---|
| Internet-facing PLCs and HMIs | Attackers can reach industrial controls directly from the public internet |
| Default or weak passwords | Basic credential guessing can lead to control-system access |
| Shared operator accounts | Investigators struggle to identify who made changes |
| Poor IT/OT segmentation | A breach in business systems can move closer to pumps, tanks, valves, and dosing systems |
| Limited monitoring | Intrusions can remain unnoticed until equipment behaves abnormally |
Iran-Linked Actors Targeted PLCs With Weak Passwords
Iran-linked activity has shown how quickly attackers can exploit basic configuration failures. In late 2023, the CyberAv3ngers group targeted Unitronics Vision Series PLCs used in several sectors, including water and wastewater facilities.
The CISA CyberAv3ngers advisory said the actors likely compromised internet-accessible Unitronics PLCs that used default or no passwords. Some affected screens displayed a political defacement message.
That activity was not technically complex, but it demonstrated a serious problem. A controller that manages water operations should not be reachable from the public internet with factory credentials still active.
U.S. Agencies Warned of Ongoing Iranian-Affiliated PLC Attacks
The threat did not disappear after the earlier Unitronics activity. On April 7, 2026, EPA, FBI, CISA, and NSA issued a new joint cybersecurity advisory warning that Iranian-affiliated actors were still exploiting operational technology across U.S. critical infrastructure.
The advisory said organizations in multiple sectors, including drinking water and wastewater systems, had reported disruption involving operational technology. Reported effects included configuration wiping, software-based sensor tampering, and disruption of human-machine interfaces.
The warning also urged water systems to report suspicious activity and strengthen exposed OT assets. EPA said many improvements involve procedural changes rather than expensive hardware upgrades, which makes basic cyber hygiene especially important for small utilities.
- Remove PLCs and HMIs from direct public internet exposure.
- Change factory-default passwords immediately.
- Disable unused remote access services.
- Use unique accounts for operators and vendors.
- Monitor industrial control ports for unusual connections.
Russia-Linked Activity Moved From Defacement to Disruption
Russia-linked groups have used water-sector intrusions for intimidation and disruption. In January 2024, Cyber Army of Russia Reborn claimed responsibility for incidents involving water storage tanks in Abernathy and Muleshoe, Texas.
The U.S. Treasury later said in a sanctions announcement that the group manipulated industrial control systems at water, hydroelectric, wastewater, and energy facilities in the U.S. and Europe. The Texas activity caused the loss of tens of thousands of gallons of water, but major damage was avoided.
The same activity showed that even low-complexity attacks can create operational risk. Attackers do not need to destroy equipment to trigger emergency response, manual operations, public concern, or costly investigations.
Norway Dam Incident Shows the Risk to European Infrastructure
In Norway, Russian hackers briefly took control of a dam in Bremanger on April 7, 2025, according to Norwegian counter-intelligence officials. The incident became public later, when Norway officially attributed the activity to Russia.
Reuters reported that the attackers opened a floodgate and released about 500 liters of water per second for four hours before the breach was detected and stopped. No injuries were reported.
The incident mattered because it targeted physical infrastructure through a cyber pathway. It also showed how cyber operations can create fear and pressure without causing a large-scale disaster.
| Actor or Activity | Reported Target | Main Method | Impact |
|---|---|---|---|
| CyberAv3ngers | U.S. water and wastewater PLCs | Default or weak credentials on exposed controllers | Defacement and operational concern |
| Iranian-affiliated actors | Critical infrastructure OT | Internet-facing PLC exploitation | Disruption, HMI impact, and financial loss |
| Cyber Army of Russia Reborn | U.S. water storage systems | Manipulation of exposed ICS interfaces | Tank overflows and water loss |
| Russian-attributed activity in Norway | Bremanger dam | Unauthorized remote control | Floodgate opened for several hours |
| Volt Typhoon | U.S. critical infrastructure IT environments | Living-off-the-land persistence | Long-term access and pre-positioning risk |
China-Linked Volt Typhoon Takes a Quieter Approach
China-linked Volt Typhoon activity looks different from the more visible Iran- and Russia-linked incidents. Instead of defacing interfaces or causing immediate disruption, the group focuses on stealth, persistence, and long-term access.
The Volt Typhoon advisory from U.S. and allied agencies said the group compromised IT environments across multiple critical infrastructure sectors, including water and wastewater systems.
Agencies assessed that Volt Typhoon was pre-positioning itself for possible disruptive or destructive cyberattacks during a future crisis or conflict. That makes even quiet network access a strategic concern.
Living-Off-the-Land Makes Detection Harder
Volt Typhoonโs tradecraft relies heavily on legitimate tools already present in Windows environments. That includes wmic, ntdsutil.exe, PowerShell, and netsh interface portproxy.
The groupโs use of normal administrative tools can make malicious activity look like routine network administration. That approach reduces the number of obvious malware files defenders can detect.
The same problem affects many water utilities. If logs are limited and networks are flat, an attacker can move from a business system toward OT-adjacent systems with little resistance.
- Monitor use of wmic, ntdsutil.exe, and unusual PowerShell commands.
- Review netsh portproxy changes on Windows hosts.
- Separate billing, customer, engineering, and OT networks.
- Apply multi-factor authentication to remote access and vendor accounts.
- Collect logs from domain controllers, remote access tools, and engineering workstations.
Poland Breaches Highlight the Same Basic Failures
Poland has also faced water-sector incidents tied to weak passwords and exposed control systems. The Polish Internal Security Agency published an ABW activity summary covering selected 2024 and 2025 security activity, including cyber threats to national infrastructure.
Reports based on the ABW material said hackers breached five water treatment plants in 2025, reaching industrial controls tied to pumps, filters, and chemical dosing. The activity was not publicly tied to one named actor, but officials framed it against a broader hostile cyber environment.
This is the larger lesson for defenders. Even unattributed intrusions matter because they expose the same weaknesses that a state actor could exploit with more time and planning.
Why Weak Credentials Are Still a Major Water-Sector Risk
Weak credentials remain one of the most damaging security failures in critical infrastructure because they erase the need for advanced hacking. Attackers can scan for exposed systems and try default passwords at scale.
The GAO review warned that cybersecurity risk in the water sector continues to rise while many systems struggle with workforce gaps, aging technology, and limited investment. It also noted that improving cybersecurity often competes with other urgent water-quality and regulatory priorities.
That does not make the problem impossible to solve. Many of the most important controls are basic: remove public exposure, change passwords, segment networks, log access, and test incident response plans.
| Priority | Action | Reason |
|---|---|---|
| 1 | Find every internet-facing PLC, HMI, and remote access service | Utilities cannot protect systems they do not know are exposed |
| 2 | Remove public access or place systems behind secure gateways | Direct exposure gives attackers an easy entry point |
| 3 | Replace default and shared passwords | Credential reuse prevents accountability and enables simple compromise |
| 4 | Separate IT and OT networks | Segmentation limits movement after a breach |
| 5 | Monitor process changes and remote access sessions | Early detection can prevent unsafe operations |
How Water Utilities Should Harden PLCs and HMIs
Utilities should start by mapping their industrial control environment. That includes PLCs, HMIs, engineering workstations, historians, vendor remote-access tools, firewalls, and any cloud-connected management platforms.
The April 2026 advisory urged organizations to protect internet-facing operational technology and report suspicious activity. EPA also offers free technical assistance, assessments, tools, and training for water systems with limited internal security resources.
Operators should also review firewall rules and block inbound traffic to industrial control ports unless a documented business need exists. Remote maintenance should use secure access methods with MFA and full session logging.
- Disable direct internet access to PLCs and HMIs.
- Use VPN or secure remote access gateways with MFA.
- Replace shared accounts with named operator accounts.
- Patch engineering software and firmware where safe to do so.
- Document emergency manual-control procedures before an incident happens.
What Incident Responders Should Watch For
Water utilities should watch for unusual login attempts, unexpected HMI changes, unauthorized PLC project-file access, new remote access tunnels, and unexplained changes to pumps, valves, chemical dosing, or alarm settings.
The Unitronics PLC advisory urged organizations to change default passwords, disconnect PLCs from the public internet, and back up logic and configuration. These steps remain relevant to other PLC and HMI environments as well.
Organizations should also report suspected incidents quickly. Early reporting helps federal partners identify campaigns that may affect multiple utilities, vendors, or regions.
Indicators and Behaviors to Monitor
Some threat reports include specific IP addresses, tool names, industrial ports, and Windows artifacts. These indicators help with short-term hunting, but defenders should not rely on them alone.
Attackers can change IP addresses and infrastructure quickly. Behaviors such as direct PLC access from unknown hosts, default-account use, HMI manipulation, and suspicious PowerShell or ntdsutil activity are more durable signals.
The Volt Typhoon guidance recommends hunting for living-off-the-land behavior and reviewing network edge devices, identity systems, and administrative activity. Those same practices can help water utilities catch stealthier intrusions before OT impact occurs.
| Indicator Type | Examples | Defensive Use |
|---|---|---|
| Industrial ports | TCP/44818, TCP/2222, TCP/102, TCP/502 | Detect unexpected access to PLC protocols |
| Remote access tools | SSH, Dropbear SSH, unsupported remote access utilities | Find unauthorized tunnels or persistence |
| Windows tools | wmic, ntdsutil.exe, PowerShell, netsh portproxy | Detect living-off-the-land activity |
| Windows artifacts | ADMIN$, C:\Windows\Temp\, C:\Users\Public\ | Review staging and lateral movement activity |
| Operator behavior | Unexpected HMI changes or configuration wipes | Identify process-level tampering early |
The Risk Is Strategic, Not Just Technical
Water-system intrusions now sit at the intersection of public safety, geopolitics, and cybercrime. A short disruption can trigger outsized concern because water is a lifeline service.
The DomainTools assessment argues that Iran, Russia, and China use water-sector access in different ways, but all see civilian utility targeting as a source of leverage. Iran-linked activity favors visible signaling, Russia-linked activity favors disruption and intimidation, and China-linked activity favors long-term positioning.
The immediate fix is not glamorous, but it is urgent. Utilities need to close exposed control systems, harden remote access, remove shared passwords, and make sure operators can detect and respond before a cyber incident reaches pumps, valves, tanks, or chemical treatment processes.
FAQ
Hackers target water utilities because they support critical public services and often operate with limited cybersecurity resources. Access to these systems can create disruption, fear, intelligence value, or strategic leverage.
Many attacks rely on basic weaknesses such as internet-facing PLCs and HMIs, weak or default passwords, shared accounts, exposed remote access tools, poor monitoring, and weak IT/OT segmentation.
PLCs are programmable logic controllers that automate industrial processes such as pumps, valves, tanks, and dosing systems. HMIs are human-machine interfaces that operators use to view and control those processes.
Public reporting has linked water-sector activity to Iran-affiliated CyberAv3ngers, Russia-linked Cyber Army of Russia Reborn, and China-linked Volt Typhoon. Some incidents remain unattributed but expose the same weaknesses.
Utilities should identify all internet-facing PLCs, HMIs, and remote access tools, remove direct public access, change default passwords, enable MFA, separate IT and OT networks, and report suspicious activity quickly.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages