Threat Intelligence Report: Nation-State Targeting of Water Systems 2024–2026

MITRE Techniques

• [T0883 ] Internet Accessible Device – Exposed PLCs and internet-facing ICS were used as entry points into water systems (‘accessed publicly exposed PLCs’ / ‘internet-exposed ICS used as access path’).
• [T0885 ] Commonly Used Port – Iranian activity used OT communications ports such as 44818, 2222, 102, 502, and SSH on 22 (‘used OT ports including 44818, 2222, 102, 502, and SSH on 22’).
• [T1219 ] Remote Access Software – Dropbear SSH was deployed to maintain remote access (‘deployed Dropbear SSH for remote access’).
• [T1565 ] Stored Data Manipulation – Attackers interacted with project files and altered HMI/SCADA display data (‘interacted with project files and altered HMI / SCADA display data’).
• [T1078 ] Valid Accounts – Weak or default credential abuse was inferred across PLC/HMI compromises (‘default / weak credential abuse against PLCs’ / ‘weak/default passwords’).
• [T1491 ] Defacement – Unitronics HMI/PLC screens were defaced with pro-CyberAv3ngers messaging (‘HMI/PLC defacement messaging in Unitronics activity’).
• [T1133 ] External Remote Services – Russian-aligned actors likely accessed exposed industrial interfaces and remote control paths (‘likely access through remote industrial interfaces / exposed remote control paths’).
• [T1046 ] Network Service Discovery – Exposed water-control interfaces were likely scanned and enumerated (‘assessed scanning / discovery of exposed water-control interfaces’).
• [T1489 ] Service Stop – Water-system process controls were manipulated to cause overflow and floodgate events (‘manipulation of water-system process controls resulting in overflow / floodgate events’).
• [T1113 ] Screen Capture – Claim videos showed HMI manipulation through screen recordings (‘claim videos showed screen recordings of HMI manipulation’).
• [T1190 ] Exploit Public-Facing Application – Volt Typhoon compromised exposed edge devices and public-facing infrastructure (‘compromise of exposed edge devices and public-facing infrastructure’).
• [T1047 ] Windows Management Instrumentation – WMIC was used for process creation and credential-access workflows (‘WMIC execution for process creation and credential-access workflows’).
• [T1003.003 ] OS Credential Dumping: NTDS – Attackers attempted extraction of ntds.dit and registry hives (‘attempted extraction of ntds.dit and registry hives’).
• [T1090 ] Proxy – netsh portproxy was used for forwarding and covert access (‘netsh portproxy used for forwarding / covert access’).
• [T1059.001 ] PowerShell – Native PowerShell was used in living-off-the-land activity (‘native PowerShell use in LOTL activity’).
• [T1087 ] Account Discovery – Volt Typhoon performed account and environment enumeration (‘account and environment enumeration’).
• [T1018 ] Remote System Discovery – Network and host reconnaissance was conducted (‘network and host reconnaissance’).
• [T1021 ] Remote Services – Lateral movement occurred through compromised internal environments (‘movement through compromised internal environments’).
• [T1560 ] Archive Collected Data – Collected data was staged and compressed, including 7z examples (‘staging and compression of collected data, including 7z examples’).
• [T1562 ] Impair Defenses – Low-noise native tooling was used to evade EDR visibility (‘avoidance of EDR visibility through native tooling and low-noise operations’).