Default passwords and $10 million bounties: Why US water utilities remain exposed to Iranian cyberattacks

Water has always been understood as the thing wars are fought over. The less examined reality is that water is now the thing wars are fought through. Not as a weapon wielded on a battlefield, but as a target accessed through a laptop in Tehran, aimed at a treatment plant in Pennsylvania, manipulated by code that tells a programmable logic controller to stop doing the one job that keeps a city’s tap water safe to drink.

Control systems operators at water utilities across the country spend their shifts watching digital readouts that track chlorine levels, pump pressure, and flow rates. Many facilities have received bulletins from the Cybersecurity and Infrastructure Security Agency warning that Iranian government-affiliated hackers had targeted industrial control systems in US energy, water, and wastewater utilities. The warnings serve as stark reminders that water treatment is no longer just about chemistry.

The bulletin was not hypothetical. A joint advisory from the FBI, NSA, Department of Energy, and CISA confirmed that hackers linked to the Iranian Revolutionary Guard Corps have been conducting a sustained campaign against American critical infrastructure. The attacks specifically targeted programmable logic controllers (PLCs) made by Rockwell Automation, with the explicit intent to sabotage systems and cause operational disruption. In a few cases, the advisory confirmed, the hacking activity resulted in real operational disruption and financial loss.

The group responsible is known as CyberAv3ngers, also called the Shahid Kaveh Group. US intelligence believes they work for the IRGC. US authorities have taken various measures against the group, including bounties and sanctions targeting officials with links to the operation.

None of this stopped the attacks.

Industrial cybersecurity experts who have worked in oil and gas operations describe a fundamental misunderstanding in how the public perceives cyber threats. “People think hacking means someone steals your credit card number,” one consultant explained. “They don’t understand that hacking can mean the pressure valve on a gas pipeline doesn’t close when it’s supposed to. That’s not identity theft. That’s an explosion.”

This framing captures something that the policy discussion around cyber conflict consistently misses. The abstraction of the word “cyber” has created a conceptual gap between the attack and its physical consequences. When CyberAv3ngers compromised water utility networks, they weren’t stealing data. They were reaching through the internet to touch the machines that make water safe, that keep gas flowing, that hold infrastructure together. Security researchers have documented their access to numerous devices sold by industrial control firms.

The strategy is not espionage. It is pre-positioning. Security researchers have described the approach as one where attackers “wanted to be able to infect all kinds of assets that they identify as critical and just leave their malware there as an option for the future.” The concept is sometimes called “preparing the battlefield,” a military term borrowed to describe the practice of embedding dormant capabilities in an adversary’s infrastructure, ready to be activated when conflict escalates.

And conflict has escalated. As military tensions between the US and Iran have intensified in recent weeks, the cyber operations have moved from background noise to foreground threat. Cybersecurity firms have reported responding to multiple incidents targeting industrial systems. “We have seen both state and non-state actors in Iran pose real risk and show willingness to hurt people through compromising these systems,” security experts have warned. “I fully expect them to keep up the pressure and target those sites they can get access to.”

There is a phrase that keeps appearing in analysis of these attacks: asymmetric warfare. Security analysts have noted that if you look at the IRGC playbook, they know they can’t compete on the traditional military field, so they attempt to cause disruption within the cyber domain using asymmetric warfare techniques. The logic is straightforward. Iran cannot match American air power or naval strength. But it can reach into the control systems of a water plant in Ohio or a gas pipeline in Texas and create consequences that no aircraft carrier can prevent.

This asymmetry has a specific quality that makes it different from other forms of conflict. It inverts the relationship between power and vulnerability. The more technologically advanced a society, the more attack surface it presents. The United States, with its highly networked industrial systems, its internet-connected PLCs, its legacy SCADA networks running on software that predates modern security practices, is not strong because of its connectivity. It is exposed because of it.

Consultants working with municipal governments on cybersecurity upgrades describe visiting water treatment facilities where operators still use default passwords on internet-facing systems. These are the systems that Iranian hackers are scanning for. They don’t need to be sophisticated. They just need to find the door that nobody locked.

The Rockwell Automation advisories issued in response to the targeting of their PLCs underscore this point. The published guidance calls for operators to disconnect certain devices from the public internet, apply firmware updates, and change default credentials. These are not exotic recommendations. They are the equivalent of telling someone to lock their front door. The fact that they need to be stated in a formal government advisory tells you something about the baseline state of American infrastructure security.

The concurrent emergence of the hacktivist group Handala adds another layer. While CyberAv3ngers is assessed as a direct IRGC asset, Handala operates in the murkier space between state sponsorship and ideological alignment. Both groups launched attacks on US targets in the same period. The pattern mirrors how Iran has long operated through proxy forces in the physical world, using groups with varying degrees of formal connection to Tehran to create plausible deniability while maintaining strategic coherence.

This convergence of physical and digital conflict creates what might be called a sovereignty paradox. A nation’s borders mean nothing to a cyberattack. The US military can strike Iranian positions with missiles, but it cannot station troops at every water utility, every gas compressor station, every wastewater facility in the country. The infrastructure is too dispersed, too varied, too often operated by small municipal authorities with budgets that barely cover maintenance, let alone cybersecurity.

Research on critical infrastructure protection has focused on the disconnect between federal threat intelligence and local operational capacity. Studies have shown that the FBI can tell a small town that Iranian hackers are targeting their water plant, but that town may have only a few employees in its water department, no IT staff, and a budget that was cut last year. The question of what they are supposed to do with that information remains largely unanswered.

This is the question that makes the Iranian cyber campaign so effective as a strategy. It doesn’t need to succeed in breaching every target. It doesn’t even need to cause catastrophic damage. It needs to create a persistent state of vulnerability that drains resources, attention, and confidence. The awareness that somewhere in your country, the systems that deliver clean water and reliable energy could be compromised at any moment, that is itself a form of weapon.

The parallels to other forms of concentrated infrastructure vulnerability are hard to ignore. Gulf states that built water miracles also concentrated them into single points of failure. The American version of this story is different in structure but identical in principle: a distributed network of small, under-resourced facilities connected to the internet, each one a potential entry point for an adversary that has already demonstrated both capability and intent.

The US has responded with a mix of defensive measures and offensive signaling. Bounties. Treasury sanctions. Threats of physical retaliation. But the structural problem remains. The attackers are playing a different game. They are not trying to win a war. They are trying to demonstrate that the concept of winning, in the traditional military sense, no longer maps onto reality when the battlefield extends to every networked device in a country.

Water utility operators still check their chlorine levels. They still watch the flow rates. But now they also watch for anomalies in the control system itself, strange login attempts, unexpected changes to PLC configurations, devices communicating with IP addresses they don’t recognize. Many never trained for this. No one at their facilities did.

The environmental and health consequences of a successful attack on water infrastructure would compound problems that already exist. Communities across North America have already learned what it means to live with contaminated water, to adapt to infrastructure that fails them. A cyber-enabled disruption at a water treatment plant wouldn’t create a new kind of suffering. It would accelerate a kind of suffering that already exists in slow motion.

Security experts tell their clients something that sounds simple but contains the whole problem. “Your plant was built to make clean water,” they explain. “It was not built to be a military target. But it is one now, and the people running it are the front line whether they signed up for it or not.”

Consultants working in the field say the phrase “critical infrastructure” has become so overused in policy documents that people have stopped hearing what it actually means. Critical. As in, people die without it. Infrastructure. As in, the physical things we depend on. “We’ve turned it into a bureaucratic category,” they note. “It’s not a category. It’s the water your kids drink. It’s the gas that heats your house in January. That’s what’s being targeted.”

The sophistication of the CyberAv3ngers’ approach, embedding IOControl malware across a range of systems, maintaining persistent access, pre-positioning for future activation, suggests a long-term strategic commitment. These are not one-off attacks by freelancers. This is a state-backed campaign designed to create optionality, the ability to cause harm at a time and place of Tehran’s choosing.

And the targets are not government buildings or military installations. They are the facilities that civilians rely on every day, operated by people who took jobs in municipal water departments or small energy companies because they wanted steady, useful work. People who now find themselves on the front line of a conflict between two nations they have no part in.

The American cyber defense apparatus is vast. The intelligence agencies are sophisticated. The warnings are real and specific. But the gap between the warning and the capacity to act on it, at the local level, in the small towns and mid-sized cities where most of this infrastructure actually sits, that gap is the vulnerability. Not the malware. Not the hackers. The gap.

Research on infrastructure security keeps circling back to one finding. The towns most vulnerable to these attacks are the ones least likely to have the resources to respond. The ones with the oldest systems. The tightest budgets. The fewest staff. The pattern is familiar from every other kind of infrastructure failure in America: the risk concentrates where the resources are thinnest.

What the Iranian cyber campaign reveals is not something new about Iran. It is something old about the United States. The country built extraordinary infrastructure and then, over decades, stopped investing in the systems and people that keep it secure. The hackers in Tehran didn’t create that weakness. They simply found it.

And they are not done looking.