Iran-Linked Hackers Strike U.S. Water Systems

Iran-linked hackers are now poking holes in America’s water systems, and years of neglect under past administrations have left too many towns running critical pumps and valves with almost no real cybersecurity.

Story Snapshot

Federal agencies warn of an “urgent and ongoing” Iranian-affiliated cyber threat against U.S. drinking water and wastewater systems.
Hackers are disrupting industrial controllers that run pumps, valves, and treatment equipment across multiple critical sectors, including water.
Hundreds of U.S. water systems still expose key devices to the open internet with weak or no security, despite repeated warnings.
Officials confirm operational disruptions and financial losses, but legacy systems and fragmented oversight make fixing the problem harder.

Federal Warning: Iran-Linked Hackers Targeting Water and Energy

U.S. environmental, intelligence, and cybersecurity agencies jointly warned that Iranian-affiliated hackers are actively exploiting weaknesses in the operational technology that runs American drinking water and wastewater systems.^[3] The Environmental Protection Agency, Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, and National Security Agency said organizations are experiencing exploitation and, in some cases, disruption of commonly used control equipment at water facilities.^[3] This same advisory stressed that the water sector remains an attractive target for groups seeking to disrupt U.S. critical infrastructure.^[3]

The joint alert goes beyond vague threat language and describes concrete impacts from recent attacks. According to the agencies, organizations across several critical infrastructure sectors have reported configuration wiping, tampering with software-based mechanical sensors, and disruption of human machine interface screens used by operators.^[3] Federal officials say this malicious activity has already produced operational disruption and financial loss for some victims.^[3]^[4] A separate federal-supported report notes that hundreds of U.S. water systems have weak configurations, and dozens have already been compromised in earlier campaigns tied to Iran-linked actors.^[1]

How Iran-Affiliated Hackers Are Hitting Industrial Control Gear

Federal agencies say Iran-affiliated advanced persistent threat groups are focusing on internet-facing operational technology devices, including programmable logic controllers made by Rockwell Automation under the Allen-Bradley brand.^[1]^[4] These controllers run core industrial processes such as opening and closing valves, starting and stopping pumps, and regulating treatment equipment inside plants that handle water and wastewater.^[4] The advisory describes hackers maliciously interacting with controller project files and manipulating data on human machine interface and supervisory control displays used by plant staff.^[1]^[4]

Investigators tie the latest wave of activity to a vulnerability involving Rockwell’s Logix controllers and Studio 5000 Logix Designer software.^[1] That flaw, tracked as CVE-2021-22681, can allow an attacker to recover a cryptographic key and use a non-Rockwell application to talk to the controller as if it were trusted software.^[1] U.S. authorities say this has allowed Iranian-affiliated groups to disrupt controller functions across multiple American critical infrastructure sectors, including the water and wastewater sector and energy facilities.^[4] Officials report that some affected organizations had to shut down automated processes, switch to manual operation, and absorb financial losses as a result.^[4]^[5]

Legacy Weakness: Water Systems Still Exposed and Under-Protected

Cybersecurity analysts and federal officials acknowledge that many of these vulnerabilities exist because critical devices were left exposed to the public internet with little or no hardening.^[1]^[3] A federal-backed assessment found that more than 3,000 Rockwell devices remain visible online, often because organizations either do not realize they are exposed or underestimate the risk from foreign adversaries.^[1] The Environmental Protection Agency has emphasized that the water sector is fragmented and heavily reliant on local utilities that often need technical assistance just to meet basic cybersecurity expectations.^[3]

During earlier Iran-linked campaigns, especially around the Gaza war in 2023 and 2024, hundreds of U.S. water systems were found to have weak security configurations that made them easy targets, and dozens of water utilities were actually compromised.^[1] Those incidents involved a different brand of industrial controller, but the pattern was similar: foreign actors hunting for poorly protected, internet-facing equipment that directly controls water infrastructure.^[1]^[4] The new advisory indicates that federal agencies, including the Department of Energy and U.S. Cyber Command, are now engaged in helping victim organizations respond and in pushing utilities to remove sensitive gear from the open internet, turn on multifactor authentication, and tighten logging.^[1]^[3]^[4]

What We Still Do Not Know—and Why It Matters for Local Communities

Despite the strong language from federal agencies, key details remain withheld from the public record. Officials have not named the specific American water utilities or plants that were hit, and publicly available reporting does not break out how many of the recent incidents involve water systems versus energy or other sectors.^[1]^[2]^[4] CyberScoop, citing the government alert, notes that the disrupted controllers were deployed across multiple sectors including the water and wastewater system sector and energy, but it does not list locations.^[4] Politico likewise reports that the exact targets of the attack were not immediately clear.^[2]

Iran-Linked Hackers Are Targeting America's Water Systems – Most Still Lack Basic Security https://t.co/d8Qy1YvjFk

— Heather O'Brien Pronouns: Told/You/So 🐰 #🟦 IFBAP (@Heat005498) June 3, 2026

Federal authorities say their attribution to Iranian-affiliated actors is based partly on direct engagement with victim organizations, but they have not released underlying forensic artifacts, malware samples, or detailed technical timelines.^[3]^[4] That means outside observers must rely heavily on official statements rather than independently verifiable case files. At the same time, the Environmental Protection Agency stresses that recent exploitation has already produced configuration wiping, sensor tampering, human machine interface disruption, and financial loss across multiple critical infrastructure sectors.^[3] While no confirmed public-health harm or contamination at U.S. water systems has been documented in these advisories, the pattern shows that hostile foreign actors are actively testing America’s basic services, and that many local utilities are still playing catch-up on even elementary cyber hygiene.^[1]^[2]^[3]^[4]