Ymir Vigfusson
April 22, 2025
Imagine waking up one morning to find your city’s water supply shut down. Tap water undrinkable. Wastewater systems offline. In 2024, the potential of threats to our water infrastructure proved to be very real.
The headlines told a chilling story: water systems hacked, utilities held hostage, and communities left vulnerable. Advanced Persistent Threat (APT) groups, many backed by nation-states, turned their focus to water utilities, targeting vulnerabilities in systems that were never designed to face modern cyberthreats. Some of the known exploits impacted thousands of people but it could have been millions.
These attacks didn’t just disrupt operations. They undermined the trust in our water infrastructure, exposing weaknesses in the operational technology (OT) that keeps clean water flowing. As the incidents from 2024 show, attackers are growing smarter, their methods more sophisticated, and the potential consequences more devastating.
In the past year, attackers struck water utilities worldwide, targeting systems with chilling precision. Each incident tells a story, highlighting unique vulnerabilities and impacts:
From Tipton Wastewater in Indiana to Veolia Water in Europe, the pattern repeats: critical infrastructure targeted by attackers who see water systems as prime opportunities for disruption.
Why do these systems keep falling victim to attackers? The answer lies in understanding who is behind these incidents and how they operate. Between November 2023 and November 2024 we discovered 12 successful attacks on water infrastructure companies and their systems.
The adversaries targeting water infrastructure are skilled, organized, and often well-funded. They exploit the weakest links in utilities, driven by motives that range from geopolitical strategy to pure financial gain.
For Chinese APT groups, targeting critical infrastructure is about gaining leverage—not for quick profit, but for long-term strategic advantage. The aim is to silently embed themselves for surveillance, data exfiltration, and potential disruption of supply chains or civilian services if tensions escalate. They often exploit weak ICS configurations, using simple but effective techniques like default credentials to quietly maintain access.
Pro-Russian hacktivist groups thrive on disruption. Their goal is to undermine public trust, strain critical services, and destabilize Western institutions—all under the banner of ideology. But ideology doesn’t pay the bills. Many of these actors also deploy ransomware to fund their operations. Pro-Russian attacks on U.S. water utilities have been discovered using phishing and ransomware to compromise systems and sow chaos.
While state-sponsored actors may aim for disruption, independent attackers are motivated much more by pure profit potential. Ransomware has become their weapon of choice, encrypting OT systems and demanding payments that utilities often feel forced to pay.
Each of these groups targets the root of trust in water utilities, exploiting vulnerabilities that are often the result of underinvestment in cybersecurity. But how exactly do they achieve this?
Regardless of their motives, APT groups rely on similar techniques to infiltrate and exploit water systems. Their methods target both technological gaps and human trust, exploiting the very foundations that water utilities rely on for secure operations.
The impacts of these attacks extend far beyond the immediate disruption. Imagine untreated wastewater spilling into rivers, water contamination leading to health crises, or entire cities without clean drinking water.
But it’s not just about water—it’s about trust. Trust in the systems that manage water flows. Trust in employees who believe an email is safe. Trust that legacy systems will continue to work as they always have. This misplaced trust is the very weakness that attackers leverage, turning ordinary tools and overlooked vulnerabilities into opportunities for clandestine control or chaos.
People rely on these systems to work without fail. When they don’t, the ripple effects touch every aspect of life, from public health to economic stability.
Based on advisories from government agencies, led by CISA, the question for water utilities is not if attackers will exploit these weaknesses, but how soon—and whether the utilities will be prepared when they do. Countering APT attack techniques requires a proactive approach, rooted in understanding the attackers’ methods and securing the systems and processes they target.
The challenges are daunting, and attackers are constantly adapting, but solutions are within reach—if we shift our mindset. Traditional defenses often focus on perimeter security, assuming that keeping attackers out is enough. However, the reality is stark: we must assume every workstation is already breached.
This principle of Zero Trust demands that no device, user, or system is trusted by default. To truly safeguard water systems, utilities need a more consistent and trusted way to validate the intent behind every action within their networks. It’s not enough to monitor for anomalies or enforce policies; we must actively verify that every command, every keystroke, and every action is legitimate.
The key isn’t just reacting to attacks; it’s building proactive defenses that ensure attackers can’t misuse compromised systems. When utilities adopt tools and processes designed to validate actions—even within breached environments—they restore trust in the systems that manage critical water flows.
By addressing vulnerabilities and evolving exploit techniques now, water utilities can stop attackers before they cause harm. This isn’t just about securing infrastructure—it’s about securing the intent behind every command, every action, and every decision that keeps clean water flowing.
The attacks of 2024 were a wake-up call. APT groups have made it clear that water infrastructure is a target, and the consequences of inaction are too great to ignore.
But there’s hope. By prioritizing trust at every level of their systems, water utilities can rise to the challenge. With the right strategies, they can safeguard their operations—and the communities that depend on them—for years to come.
Try Keystrike in Your Environment for 30 Days