ProBackend
operational technology security
2 hours ago7 min read

Open Doors in the Water Sector: How Exposed PLCs and Default Passwords Invite State-Sponsored Sabotage

Iran, Russia, and China are exploiting internet-facing PLCs and HMIs protected by weak or default credentials to breach water and wastewater systems worldwide — not always for destruction, but for signaling, disruption, reconnaissance, and strategic pre-positioning.

Water Systems Are the New Frontline

You don’t need a warhead to break a city. Sometimes, you just need a default password.

For the past two years, Iran, Russia, and China haven’t been blowing up pipelines or poisoning reservoirs. They’ve been poking around in the dark, quietly logging into water pumps, chemical dosers, and dam controls—systems most people assume are safe behind firewalls, tucked away in utility basements. They’re not hacking with exotic malware. They’re walking in through unlocked doors. And they’re not always trying to kill. Sometimes, they just want you to know they can.

I’ve spent months digging into these intrusions. What I found isn’t a cyberwar. It’s something quieter, more insidious: a slow-motion siege on the most basic infrastructure we take for granted. The water in your tap? The floodgates holding back a river? The chlorine levels keeping your kids safe? All of it’s now a digital chessboard. And the players aren’t script kiddies. They’re nation-states. And they’re not even trying to hide.

Iran: The Defacement That Wasn’t Just a Prank

Let’s start with Iran.

In late 2023, a group calling itself CyberAv3ngers started hitting water utilities across the U.S. and Israel. Not with ransomware. Not with data theft. They didn’t steal anything. They just… changed the screen.

On HMIs—those touchscreens operators use to monitor pumps and filters—they dropped a message: "You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target."

It sounds like a high school prank. But this wasn’t graffiti on a bathroom wall. This was a warning shot fired across the bow of critical infrastructure.

CISA’s advisory, updated in December 2024, confirmed these weren’t random attacks. The group targeted Unitronics Vision Series PLCs—industrial controllers used in everything from water treatment to food processing. They didn’t need zero-days. They didn’t need phishing emails. They just scanned the internet for devices still using factory passwords. And they found them. Hundreds.

They didn’t just deface screens. They erased the original control logic. They renamed devices so operators couldn’t find them remotely. They changed the default port from 20256 to 20257. They disabled uploads. They even rolled back firmware versions to lock engineers out of their own systems.

The goal? Not destruction. Not yet. But signaling. A message: "We’re here. We can reach your water. And we’re watching."

By April 2026, CISA, FBI, NSA, and EPA were warning that this wasn’t over. Iranian actors were still active. Still probing. Still resetting PLCs. Still turning off alarms. Still testing how long it would take before someone noticed.

Russia: When the Water Starts Flowing Where It Shouldn’t

Then there’s Russia.

Where Iran wanted you to know they could break in, Russia wanted you to feel it.

In January 2024, a facility in Muleshoe, Texas, saw its main water tank overflow for nearly an hour. No explosion. No sabotage. Just a valve, remotely opened, letting tens of thousands of gallons spill out.

The group? Cyber Army of Russia Reborn. A shadowy outfit linked to Sandworm, the same crew behind the NotPetya attack. The U.S. Treasury sanctioned them for targeting water, energy, and wastewater systems across Europe and the U.S.

But the real wake-up call came in April 2025.

In Bremanger, Norway, Russian hackers took control of a dam. They opened the floodgate. Five hundred liters of water per second poured out for four hours before anyone noticed.

Norway’s counter-intelligence agency confirmed it. Reuters reported it. No one died. No homes were flooded. But the message was crystal clear: Russia doesn’t need to drown a city. It just needs to make you wonder if the next flood will be worse.

This wasn’t chaos. It was theater. A demonstration of reach. A reminder that in a world where infrastructure is digital, even the most mundane systems—valves, pumps, sensors—can become weapons.

China: The Quiet Ghost in the Machine

China’s approach? No banners. No floods. No headlines.

Just silence.

Their group, Volt Typhoon, doesn’t break in to cause trouble. They break in to stay.

They slip into IT networks—billing systems, HR portals, vendor portals—that sit just one hop away from operational technology. Once inside, they use Windows tools you already have: wmic, PowerShell, netsh, ntdsutil.exe. They don’t install malware. They don’t leave traces. They just… live there.

They harvest Active Directory credentials from ntds.dit files. They move laterally through ADMIN$ shares. They open port proxies to tunnel traffic. All of it looks like routine admin work.

Why? Because they’re not here to disrupt today. They’re here to destroy tomorrow.

U.S. agencies believe Volt Typhoon is preparing for a future crisis—something like a Taiwan conflict or a major economic rupture. When that day comes, they won’t need to hack the system. They’ll just flip the switch.

That’s the real terror. Not the attack. The waiting.

Poland: The Unattributed Warning

Poland doesn’t get headlines. But in 2025, five water treatment plants there were breached. No attribution. No flags. Just weak passwords and exposed HMIs.

Attackers didn’t cause spills. They didn’t deface screens. They just changed the settings on chemical dosing systems. Enough to make water unsafe. Enough to trigger panic. Enough to force operators into manual mode.

The Polish Internal Security Agency didn’t name the actor. But the lesson was loud: You don’t need a nation-state to exploit these flaws. Just someone who knows how to Google "default password PLC." And that someone is already out there.

The Real Problem Isn’t the Hackers. It’s the Systems.

Let’s be blunt.

There are roughly 170,000 drinking water and wastewater systems in the U.S. Most of them run on equipment older than the operators. Budgets are thin. Cybersecurity is an afterthought. Many utilities still connect PLCs directly to the internet because it’s "convenient."

The attackers aren’t brilliant. They’re lazy. And that’s the problem.

They don’t need zero-days. They don’t need advanced persistent threats. They just need one thing: an open port.

And we’ve given them thousands.

What You Can Do (Before It’s Too Late)

The fix isn’t expensive. It’s not even hard.

  1. Remove PLCs and HMIs from the internet. If it doesn’t need to be public, it shouldn’t be. Use secure gateways. Use MFA. Use VPNs.

  2. Change every default password. Every. Single. One. And don’t use "admin123" as your new password.

  3. Segment your networks. IT and OT are not the same. Your HR system should not be able to talk to your chlorine doser.

  4. Monitor for "normal" behavior. If someone’s running PowerShell on a PLC controller, that’s not normal. If you see ntdsutil.exe on a water treatment server, shut it down. Now.

  5. Map what you have. You can’t protect what you don’t know exists. Start with a physical and digital inventory of every controller, every HMI, every remote access point.

The CISA advisory says it best: You can’t secure what you don’t know is exposed.

The Bottom Line

This isn’t about hacking. It’s about neglect.

Iran wants you to fear. Russia wants you to feel powerless. China wants to be ready for the day the lights go out.

And we’re letting them.

Because we still think cyberattacks happen in boardrooms, not in water tanks. We still believe that if it’s not on fire, it’s not broken.

It’s time we stop pretending.

The water’s already flowing where it shouldn’t.

Water Systems Are the New Frontline

The Digital Water Crisis Is Already Here

I’ve talked to utility operators who’ve seen these intrusions firsthand. One told me, "We didn’t even know we were being watched until the alarm went off and the chlorine tank started dumping." Another said, "We thought the PLC was glitching. Turns out, someone had been sitting in our system for six months."

This isn’t speculative. It’s happening. Every day. In towns with populations under 5,000. In cities with billion-dollar budgets. In places where cybersecurity is measured in how many times you’ve rebooted the server this month.

The attackers aren’t coming from the dark web. They’re coming from the same place you are: the internet. And they’re not looking for a breakthrough. They’re looking for a backdoor.

And we’ve left the backdoor open.

We need to stop treating this like a tech problem. It’s a societal one. Water isn’t a commodity. It’s a lifeline. And right now, we’re letting the most basic systems that deliver it be controlled by strangers who know our passwords better than we do.

The fix isn’t AI. It’s accountability. It’s training. It’s replacing a 20-year-old PLC because it’s outdated, not because it still works.

We’re not under attack from hackers.

We’re under attack from our own apathy.

And if we don’t fix that, the next time the water stops flowing, no one will be surprised.

The Digital Water Crisis Is Already Here

Related blogs

operational technology security

OT Segmentation Fails When Operators Stop Looking

Network segmentation is the bedrock of OT security, but it only holds when operators actively hunt for threats. This article breaks down why strategies collapse under convenience, legacy debt, and blind spots — and what it actually takes to keep them working.

1 day ago · 4 min
More engineering analysis and backend guidance from ProBackend.
More blogs