Iranian Hackers Target US Water Systems Using Default ICS Credentials

CISA and the FBI have attributed a series of cyber attacks against US water and wastewater systems to CyberAv3ngers, an Iranian Islamic Revolutionary Guard Corps (IRGC)-affiliated threat actor, exploiting default credentials on Unitronics Vision Series programmable logic controllers (PLCs).

At least 11 water utilities across six states have been targeted since December 2025. The attackers gained access through internet-facing Unitronics PLCs that still used the factory default password "1111" — a systemic issue across the water sector that has been repeatedly flagged by security auditors.

In most cases, the attackers defaced the PLC's human-machine interface (HMI) with anti-Israel messaging but did not attempt to manipulate water treatment processes. However, CISA warns that the level of access obtained would have allowed the attackers to alter chemical dosing or disable safety systems.

CISA has released an advisory urging all water utilities to immediately change default passwords on all PLCs and HMIs, implement multi-factor authentication for remote access, disconnect PLCs from the public internet, and implement network monitoring for OT environments.

The Water Information Sharing and Analysis Center (WaterISAC) has launched an emergency initiative to provide free cybersecurity assessments to small and medium water utilities, many of which lack dedicated IT security staff. Congress is considering legislation to mandate minimum cybersecurity standards for water infrastructure.