The Rising Threat to Water Infrastructure

Imagine waking up one morning to find your city’s water supply shut down. Tap water undrinkable. Wastewater systems offline. In 2024, the potential of threats to our water infrastructure proved to be very real.  

The headlines told a chilling story: water systems hacked, utilities held hostage, and communities left vulnerable. Advanced Persistent Threat (APT) groups, many backed by nation-states, turned their focus to water utilities, targeting vulnerabilities in systems that were never designed to face modern cyberthreats. Some of the known exploits impacted thousands of people but it could have been millions.

These attacks didn’t just disrupt operations. They undermined the trust in our water infrastructure, exposing weaknesses in the operational technology (OT) that keeps clean water flowing. As the incidents from 2024 show, attackers are growing smarter, their methods more sophisticated, and the potential consequences more devastating.

Notable Cyberattacks on Water Systems in 2024

In the past year, attackers struck water utilities worldwide, targeting systems with chilling precision. Each incident tells a story, highlighting unique vulnerabilities and impacts:

Data Breaches and Espionage

• Southern Water Data Breach (January 2024): Attackers exploited weak perimeter defenses to steal sensitive corporate data and personally identifiable information, leaving the utility exposed to further threat of exploiting the exfiltrated data.
• City of Flint Water System Breach (August 2024): Hackers accessed customer billing data, creating financial risks for residents and operational challenges for the utility.

Operational Disruptions

• Muscatine Power & Water Attack (March 2024): A compromise of the billing system disrupted customer services and highlighted the fragility of IT-OT integration.
• Arkansas City Water Treatment Facility Incident (September 2024): Attackers exploited outdated communication protocols, temporarily disrupting water treatment processes.

Advanced Threats on Critical Systems

• CISA Warning About Chinese Attackers (February 2024): Chinese state-sponsored actors exploited default credentials in numerous ICS systems to target water utilities across the U.S.
• American Water Cyberattack (October 2024): Attackers leveraged legitimate tools within the network to gain unauthorized access, demonstrating sophisticated lateral movement tactics.

From Tipton Wastewater in Indiana to Veolia Water in Europe, the pattern repeats: critical infrastructure targeted by attackers who see water systems as prime opportunities for disruption.

Why do these systems keep falling victim to attackers? The answer lies in understanding who is behind these incidents and how they operate. Between November 2023 and November 2024 we discovered 12 successful attacks on water infrastructure companies and their systems.

Profiling the Attackers: Who’s Behind the Threats?

The adversaries targeting water infrastructure are skilled, organized, and often well-funded. They exploit the weakest links in utilities, driven by motives that range from geopolitical strategy to pure financial gain.

1. Chinese State-Sponsored Actors

For Chinese APT groups, targeting critical infrastructure is about gaining leverage—not for quick profit, but for long-term strategic advantage. The aim is to silently embed themselves for surveillance, data exfiltration, and potential disruption of supply chains or civilian services if tensions escalate. They often exploit weak ICS configurations, using simple but effective techniques like default credentials to quietly maintain access. 

2. Pro-Russian Hacktivists

Pro-Russian hacktivist groups thrive on disruption. Their goal is to undermine public trust, strain critical services, and destabilize Western institutions—all under the banner of ideology. But ideology doesn’t pay the bills. Many of these actors also deploy ransomware to fund their operations. Pro-Russian attacks on U.S. water utilities have been discovered using phishing and ransomware to compromise systems and sow chaos.

3. Independent Cybercriminals

While state-sponsored actors may aim for disruption, independent attackers are motivated much more by pure profit potential. Ransomware has become their weapon of choice, encrypting OT systems and demanding payments that utilities often feel forced to pay.

Each of these groups targets the root of trust in water utilities, exploiting vulnerabilities that are often the result of underinvestment in cybersecurity. But how exactly do they achieve this?

Top Techniques Exploited in Attacks on Water Infrastructure

Regardless of their motives, APT groups rely on similar techniques to infiltrate and exploit water systems. Their methods target both technological gaps and human trust, exploiting the very foundations that water utilities rely on for secure operations.

Key Techniques and Examples:

• Phishing Attacks and Credential Theft:‍
  • Carefully crafted phishing emails trick employees into submitting or revealing access credentials. Attackers then use these credentials to pivot into ICS (Industrial Control Systems) environments, bypassing layers of trust. For example, in several incidents, compromised credentials provided attackers with direct Internet access into SCADA systems.

• Ransomware on OT Systems:
  • Ransomware crews targeting operational technology go after control, not just data. These attacks don’t just encrypt files—they lock operators out of the systems that manage pumps, valves, and disinfection. The entry points are familiar: phishing emails, reused credentials, exposed remote access. But once inside, the goal is clear—disrupt the physical processes that communities rely on.

• ICS/SCADA Exploits:‍
  • Many ICS environments still run on outdated software riddled with known vulnerabilities. Airgaps, once thought to be a reliable safeguard, often exist in name only—network access is still necessary for monitoring and reporting. Attackers don’t need sophisticated exploits; default credentials and weak authentication are often enough. In 2024, the Arkansas City Water Facility breach showed how exposed remote protocols gave attackers the foothold they needed to interfere with water treatment operations.

• Planting Backdoors like Salt Typhoon:‍
  • Persistent access tools such as those used by the Salt Typhoon group enable attackers to monitor and manipulate systems over time, being able to strike when geopolitically convenient. These backdoors often go unnoticed until they cause significant damage, as in the case of targeted campaigns on water utilities in 2024.

• Exploiting Specific Protocols:‍
  • Many ICS environments still run on outdated software with well-known vulnerabilities. Airgaps often exist in theory, not in practice—systems are still reachable. Attackers don’t always need zero-days; default credentials, poor segmentation, and exposed remote access paths are often enough.
    ‍
    Protocols like RDP, SSH, and Telnet aren’t the problem by themselves—SSH remains robust when properly configured. The real risk lies in how access is provisioned and abused. Admin tools that enable flexibility—remote shells, consoles, scripting interfaces—are also the ones attackers quietly use to move laterally and maintain persistence.
    ‍
  • In Arkansas City’s 2024 breach, attackers exploited outdated remote protocols to tamper with water treatment controls. Similarly, Volt Typhoon’s campaign abused public-facing devices and common protocols like SNMP and RDP to burrow into infrastructure, blending in with legitimate admin activity.
    
    As more orgs move toward standardizing on web-based protocols and limiting privileged access via automation, these older but still essential channels remain a quiet liability. Attackers know they’re still there—and that they work.

• "Living off the Land" (LOTL) Techniques:‍
  • Many cybersecurity tools attempt to detect unusual activity to fight attackers. In response, modern attackers increasingly rely on LOTL methods: using legitimate, pre-existing administrative tools within the network to move laterally while avoiding detection. These stealthy tactics allow attackers to blend into normal operations and evade security measures. For instance:
    
    American Water Cyberattack (October 2024): Attackers used native administrative tools to navigate the network and escalate privileges.
    
    Tipton West Wastewater Treatment Plant (April 2024): Hackers targeted Tipton Municipal Utilities’ wastewater treatment plant in Indiana by exploiting the plant’s own vendor software—a tactic known as living off the land—to manipulate control systems without triggering immediate alarms.

The Ripple Effect: Why These Attacks Matter

The impacts of these attacks extend far beyond the immediate disruption. Imagine untreated wastewater spilling into rivers, water contamination leading to health crises, or entire cities without clean drinking water.

But it’s not just about water—it’s about trust. Trust in the systems that manage water flows. Trust in employees who believe an email is safe. Trust that legacy systems will continue to work as they always have. This misplaced trust is the very weakness that attackers leverage, turning ordinary tools and overlooked vulnerabilities into opportunities for clandestine control or chaos.

People rely on these systems to work without fail. When they don’t, the ripple effects touch every aspect of life, from public health to economic stability.

Based on advisories from government agencies, led by CISA, the question for water utilities is not if attackers will exploit these weaknesses, but how soon—and whether the utilities will be prepared when they do. Countering APT attack techniques requires a proactive approach, rooted in understanding the attackers’ methods and securing the systems and processes they target.

Building Resilience in the Water Sector

The challenges are daunting, and attackers are constantly adapting, but solutions are within reach—if we shift our mindset. Traditional defenses often focus on perimeter security, assuming that keeping attackers out is enough. However, the reality is stark: we must assume every workstation is already breached.

This principle of Zero Trust demands that no device, user, or system is trusted by default. To truly safeguard water systems, utilities need a more consistent and trusted way to validate the intent behind every action within their networks. It’s not enough to monitor for anomalies or enforce policies; we must actively verify that every command, every keystroke, and every action is legitimate.

Steps to Build Resilience:

1. Adopt Zero Trust Architectures: Assume breaches are inevitable. Implement strong network segmentation, enforce least-privilege access, and validate the source and intent of commands at every step.
2. Harden ICS/SCADA Systems: Regularly update software, eliminate default credentials, and deploy real-time monitoring solutions to detect and prevent unauthorized changes.
3. Collaborate with Agencies: Work with organizations like CISA and WaterISAC to leverage their expertise and stay ahead of emerging threats.

The key isn’t just reacting to attacks; it’s building proactive defenses that ensure attackers can’t misuse compromised systems. When utilities adopt tools and processes designed to validate actions—even within breached environments—they restore trust in the systems that manage critical water flows.

By addressing vulnerabilities and evolving exploit techniques now, water utilities can stop attackers before they cause harm. This isn’t just about securing infrastructure—it’s about securing the intent behind every command, every action, and every decision that keeps clean water flowing.

Facing the Future with Preparedness

The attacks of 2024 were a wake-up call. APT groups have made it clear that water infrastructure is a target, and the consequences of inaction are too great to ignore.

But there’s hope. By prioritizing trust at every level of their systems, water utilities can rise to the challenge. With the right strategies, they can safeguard their operations—and the communities that depend on them—for years to come.