NSA Confirms Chinese Hackers Breached Water Utility Networks in Three States for Seven Months

Classified NSA Report Documents Seven Month Utility Network Intrusion

Chinese state sponsored hackers maintained access to the operational networks of three U.S. water utilities for roughly seven months, according to a classified National Security Agency report circulating among senior officials this week. Two officials familiar with the matter said the breaches began in May 2025 and were not discovered until a late November audit by the Cybersecurity and Infrastructure Security Agency found unusual data flows leaving control systems at plants in California, Texas, and Pennsylvania.

The report, dated December 10 and labeled NOFORN, concluded that the hackers did not manipulate chemical dosing, water pressure, or valve controls during the intrusion. However, they did collect detailed schematics of industrial control systems and credentials for remote access tools used by maintenance contractors, the officials said. One official said the intrusion gave the attackers persistent reconnaissance access that could be converted into disruptive capability within hours.

The affected utilities serve a combined 4.2 million customers, according to a senior official, speaking on the condition of anonymity because the assessment remains classified. The official said the Environmental Protection Agency notified the utilities' governing boards on December 13 and required them to file incident reports by December 20. The FBI has opened a parallel counterintelligence investigation, the official said.

CISA has assigned the incident tracking number WATER-2025-00841 and has dispatched incident response teams to all three facilities, according to a former Senate Intelligence Committee staffer briefed on the findings. The teams are expected to complete on site remediation by December 23, the staffer said.

Attribution Links Intrusion to Chinese Ministry of State Security Unit

NSA analysts attribute the operation to a group they track as VOLTZITE, which private cybersecurity firms have linked to China's Ministry of State Security and to infrastructure used in the Salt Typhoon campaign against U.S. telecommunications providers, the officials said. The same group is believed to have probed at least nine other water and wastewater systems between January and October, though those attempts were blocked, according to the former Senate Intelligence Committee staffer.

The hackers gained initial access by exploiting a vulnerability in remote desktop software used by a shared contractor, Industrial Control Services of Houston, the staffer said. The contractor, which provides programming support to roughly 80 utilities across the Gulf Coast, patched the flaw on November 22 after CISA flagged it, the staffer said. CISA issued a confidential advisory to critical infrastructure sectors on December 9 warning that the vulnerability was under active exploitation.

The NSA report identifies the command and control infrastructure as a cluster of virtual private servers leased through a reseller in Singapore, with payments processed through a cryptocurrency wallet tied to previous Ministry of State Security operations, the officials said. Analysts observed the attackers exfiltrating data primarily between 2 a.m. and 5 a.m. Beijing time, a pattern consistent with Chinese government working hours, they said.

China's embassy in Washington did not respond to a request for comment sent Tuesday evening. The embassy routinely denies involvement in cyber espionage and has accused the United States of spreading disinformation about Beijing's online activities.

Administration Weighs Public Attribution and Retaliatory Steps

The Biden administration is expected to publicly attribute the intrusions to China within 72 hours and to impose sanctions on a front company tied to the Ministry of State Security, according to two officials familiar with the matter. The sanctions package, coordinated with the Treasury and Justice departments, will also indict two individuals believed to be officers in the ministry's Jiangsu bureau, the officials said.

The administration is not expected to announce a retaliatory cyber operation at the same time as attribution, the senior official said. Instead, U.S. Cyber Command has prepared a menu of options for the incoming national security team, including disruption of Chinese intelligence infrastructure in Southeast Asia and measures to expose the personal accounts of MSS officers involved in the campaign, the official said.

Congressional leaders are scheduled to receive a classified briefing on the report at 10 a.m. on December 18 in the secure conference room beneath the Capitol Visitor Center, the former Senate Intelligence Committee staffer said. The House and Senate homeland security committees are expected to hold public hearings in early January, the staffer said.

Water sector trade groups have urged CISA to release more technical details about the intrusion vector so that other utilities can check for similar compromises. The American Water Works Association sent a letter to EPA administrator Michael Regan on December 15 requesting a 90 day extension of reporting deadlines for utilities that need to audit contractor access, according to a copy of the letter obtained by The Alamo Post.

The total cost of remediation and security upgrades across the three utilities is expected to exceed $18 million, with most expenses eligible for reimbursement through the EPA's Water Infrastructure Cybersecurity Grant Program, the senior official said. CISA is also preparing a joint advisory with the FBI and EPA that will be released publicly after attribution, the official said.