ASH MERIDIAN Hackers Target Midwest Water Utilities, CISA Readies Jan. 16 Alert

Utilities Breached Since Late December

A China-linked intrusion group that private threat trackers have dubbed ASH MERIDIAN has breached at least six water utilities across the Midwest since late December, according to two incident responders at a Fortune 500 firm and a federal cybersecurity contractor familiar with the investigation. The compromises appear aimed at mapping industrial control systems and maintaining long-term access rather than causing immediate disruption, the sources said.

The affected utilities serve a combined population of roughly 2.4 million customers across Illinois, Indiana, and Ohio, one of the incident responders said. The breaches were first detected around Jan. 4 when a shared security operations center noticed unusual remote desktop protocol traffic on a SCADA network at a municipal water treatment plant, the responder said. Further investigation tied the activity to infrastructure used by the same cluster across all six utilities, the responder added.

A CISO briefed on the activity said ASH MERIDIAN has targeted water and wastewater systems since at least October 2025, with activity accelerating after Dec. 20. The group has used stolen credentials and legitimate remote access tools to avoid detection, the CISO said. No ransomware has been deployed in the observed incidents, and no water quality or safety systems have been manipulated, the sources said.

The group has concentrated on small and mid-sized utilities with fewer than 50 full-time employees, the CISO said. Those organizations often rely on third-party vendors for remote maintenance and lack dedicated security staff, making them attractive targets for long-term access, the CISO said. One incident responder said the earliest evidence of compromise dated to Dec. 23, when a contractor's VPN credentials were used to access a plant network in Indiana.

CISA Prepares Government-Wide Alert

The Cybersecurity and Infrastructure Security Agency is preparing to issue an alert on Jan. 16 warning water and wastewater operators nationwide about the activity, according to two federal cybersecurity contractors familiar with the draft. The alert, which has been circulated in draft form since Jan. 10, will recommend that utilities segment operational technology networks from enterprise IT systems and require multi-factor authentication for all remote access, the contractors said.

One contractor said the alert will reference an ongoing CISA investigation tracked under case number CISA-2026-00142-A. The draft document includes a list of indicators of compromise at a high level but does not disclose specific unpatched vulnerabilities, the contractor said. The alert is expected to be released through CISA's Known Exploited Vulnerabilities catalog notification system and the WaterISAC portal, the sources said.

The FBI and EPA are coordinating with CISA on the response, according to one federal contractor. State homeland security advisers in Illinois, Indiana, Ohio, and Michigan were briefed on Jan. 11, the contractor said. The EPA is expected to hold a call with state drinking water administrators on Jan. 14 to discuss defensive measures, the contractor added.

A second federal contractor said the alert will carry a severity rating of critical and will direct operators to report any related suspicious activity to CISA within 24 hours. The contractor said the draft includes a recommendation that utilities disable remote access to SCADA systems unless it is required for immediate operational needs and protected by a hardware token or similar strong authentication.

Defensive Ask for Operators

Security researchers and government officials are urging water utilities to treat the activity as a sustained campaign rather than isolated incidents. The defensive ask centers on three immediate steps: isolating SCADA and other industrial control systems from the public internet, reviewing all remote access logs for the past 90 days, and removing any remote desktop tools that are not essential to operations.

A former CISA official who now advises utilities said the targeting pattern matches previous Chinese state-sponsored reconnaissance against critical infrastructure. The goal in those cases was to pre-position access that could be used for disruption or coercion during a future crisis, the former official said. Utilities that have not conducted an adversary simulation focused on operational technology should do so within 60 days, the official said.

ASH MERIDIAN is the name assigned by this publication to a cluster of activity that overlaps with infrastructure used by a group public reporting has tracked under a different designation. The group has primarily hit water, energy, and transportation sectors since mid-2025, the CISO briefed on the activity said. Federal investigators have not publicly attributed the campaign to a specific Chinese ministry or unit, though they assess with high confidence that the activity serves Chinese national interests, the CISO said.

Watch for CISA's Jan. 16 alert and for possible EPA guidance to state regulators. Major infrastructure owners should also expect a joint advisory from the FBI, CISA, and EPA before the end of the week, the federal contractor said. Water utilities in the Midwest should prioritize log reviews for the Dec. 20 through Jan. 10 window, the incident responders said.