Iran, Russia, and China Have Been Quietly Attacking Water Systems — and the Door Was Usually Left Unlocked
A new threat-intelligence report finds three governments targeting water and wastewater infrastructure, not primarily to poison anyone, but to cause fear, probe weaknesses, and pre-position for future conflict. The tools they're using are embarrassingly basic.

Key points
- DomainTools published research on 25 June 2025 linking Iran, Russia, and China to ongoing attacks on water and wastewater infrastructure dating to at least 2024.
- In January 2024, Russian-linked hackers caused a water tank in Muleshoe, Texas to overflow for up to 45 minutes by remotely accessing a control interface.
- Volt Typhoon, a Chinese government-linked hacking group, had broken into US water and wastewater systems by February 2024, according to US federal agencies.
- Polish intelligence confirmed in May 2025 that hackers breached five water treatment plants using weak and default passwords.
- Security researchers say the most common entry points — exposed control panels, default passwords, and unguarded remote-access tools — are fixable with basic security hygiene.
Water and hacking in the same headline sounds catastrophic. It conjures images of poisoned reservoirs and taps running dry. The reality, according to new research from threat-intelligence firm DomainTools, is more unsettling in a different way: three governments are indeed breaking into water infrastructure, but their primary goals are fear, intelligence-gathering, and quietly leaving a back door open for later — not mass casualties.
First reported by Dark Reading, the DomainTools report focuses on Iran, Russia, and China, tracing their methods and motives across incidents stretching back to 2024.
How did the hackers get in?
Mostly through doors that should have been locked years ago. Across all three countries, the entry points were strikingly similar: default passwords that nobody ever changed, control-system screens — called HMIs, or human-machine interfaces, the software panels operators use to manage physical equipment — left open to the public internet, and remote-access tools with little or no protection.
Polish intelligence reported in May 2025 that hackers walked into five water treatment plants almost entirely through weak default passwords. No exotic malware required.
The three governments each had distinct goals once inside.
Iran — groups like CyberAv3ngers, linked to the Iranian Revolutionary Guard Corps — targeted smaller, internet-exposed utilities in the US and Israel. Researchers describe their approach as opportunistic and aimed at generating headlines. A 2020 attempt against Israeli water systems during a heat wave was stopped before any harm occurred. The objective, DomainTools says, is public fear, not infrastructure destruction.
Russia plays rougher. Russian-linked hackers caused a municipal water tank in Muleshoe, Texas to overflow for 30–45 minutes in January 2024 by remotely accessing a control interface. Norway's counter-intelligence chief blamed Russia in 2025 for opening a floodgate that released 400 litres of water per second for four hours. The group behind the Texas incident, Cyber Army of Russia Reborn, was later linked by security firm Mandiant to Sandworm — a unit of Russian military intelligence. Russia wants disruption, public alarm, and a better map of how Western infrastructure actually works.
China's Volt Typhoon group is playing the longest game. US agencies including CISA — the Cybersecurity and Infrastructure Security Agency, the federal body responsible for protecting critical systems — warned in February 2024 that Volt Typhoon had burrowed into US water systems not to cause immediate damage, but to sit quietly and wait. The goal appears to be pre-positioning: establishing access that could be activated if military conflict ever breaks out.
DomainTools CISO Daniel Schwalbe notes that the underlying weaknesses — exposed control panels, shared accounts, outdated legacy equipment, poor separation between office IT and operational systems — appear in many industries beyond water. Any organisation running industrial control systems should read this as a mirror.
For ordinary people served by municipal water systems, the immediate risk of contaminated water remains low; most modern facilities have physical safeguards that prevent tainted water from reaching taps. The real concern is disruption to supply and the erosion of public trust. If your utility sends a security notice or service alert, take it at face value and follow its guidance.



