Digital intruders have been targeting UK drinking water systems in what seems to be a growing risk.
Recorded Future News sent a request to the UK’s Drinking Water Inspectorate (DWI), the organization responsible for ensuring that drinking water is safe, for details on cyberattacks affecting the country’s water system. Using freedom of information laws, the site discovered five incidents that had taken place since January 1, 2024.
A steady stream of water attacks
These aren’t the first attacks on UK water systems. In August 2022, the Clop ransomware gang hit South Staffordshire Water, thinking that it was actually Thames Water. The attack focused on stealing customer data, meaning water supplies weren’t disrupted, although corporate systems were affected.
In late 2023, pro-Iranian hackers disrupted water supplies in County Mayo, Ireland. The intruders, known as the Cyber Av2ngers group, caused outages across 160 homes for two days. The attack was politically motivated by the utility’s apparent use of an Israeli-made tool.
These are far from the only attacks on water systems around the world. In February last year, CISA warned that a Chinese state-sponsored group had spent nine months moving laterally through a US water facility.
In that incident, attackers gained access using an administrator’s login and spent months inside the infrastructure, nosing around databases and other assets. CISA linked the intrusion to Volt Typhoon—a group that also targeted telecommunications companies around the world. The attackers were described as “OT adjacent,” meaning they had reached administrative systems close enough to potentially impact the operational technology that controls water flow.
The attacks keep coming. Just last month, the Canadian Centre for Cybersecurity reported an attack on a municipal water facility. Hacktivists managed to alter water pressure, causing “degraded service” for the local community.
It’s always worrying when attackers target critical national infrastructure. When attackers hit Colonial Pipeline in 2021, they only compromised its administrative network (the part that handles paperwork). But the company was spooked enough that it shut down its fuel distribution systems too, as a protective measure, causing gasoline prices to spike across the US East Coast.
A possible legal shake-up
Many attacks on water systems might go unreported, depending on where they happen. The UK’s Network and Information Systems (NIS) regulations dictate that critical national infrastructure organizations should reveal cyber attacks to the public. However, that only applies if those attacks caused disruption.
That’s why the attacks uncovered by Recorded Future haven’t been made public until now. While worrying, they didn’t affect the UK’s water supply. A 2022 review of the NIS regulations criticized this limited disclosure, noting that attacks with the potential to disrupt services often went unreported.
Although the attacks reported to Recorded Future were voluntarily disclosed by the DWI by suppliers, upcoming legal changes could lower the bar for mandatory reporting. The UK’s proposed Cyber Security and Resilience Bill would expand disclosure requirements, increasing transparency about attacks that could affect the water supply. The Bill is expected to reach Parliament in 2025—though time is running short.
A resource under pressure
Water is under considerable threat already in the UK, with major droughts declared this year. The Met Office reports that this year’s February-to-April period was the driest since 1956, with rainfall at just half the long-term average. River flows have dropped sharply, soil moisture is down, and the National Drought Group has met to coordinate a national response.
Water companies already have plans to manage shortages, the UK government says. But as the cyberattacks mount, the question is: are their system defenses strong enough too?
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.