Security Month in Review: Hackers Are Targeting Your Water Supply – Is Your City Next?
Matthew Hall, CISSP, CHFI
Vice President for Information Technology and CIO at Texas State University (San Marvelous, TX)
The past few weeks have revealed a global surge in cybersecurity threats, privacy concerns, and AI-driven vulnerabilities. Hackers are targeting critical infrastructure, nation-state cyber activities are escalating, and the ethical implications of AI are taking center stage.
In the U.S., water utilities have become a prime target for cybercriminals, hacktivists, and state-sponsored actors, forcing some operators to switch to manual operations after breaches. Meanwhile, a significant Volkswagen data breach exposed the unencrypted location data of over 800,000 EVs, highlighting the risks associated with connected vehicles. Tesla also came under scrutiny for its extensive data-sharing practices, sparking fresh debates about surveillance and consumer privacy.
China's cyber operations have taken a more aggressive turn, shifting from espionage to actively pre-positioning for potential attacks on U.S. critical infrastructure. The hacking groups Volt Typhoon and Salt Typhoon have infiltrated emergency services networks and telecommunications, signaling a readiness for disruption. In Japan, the APT group MirrorFace continues to steal sensitive information from government, military, and corporate entities, raising alarms over China’s long-term strategic intentions.
Legal and regulatory efforts to combat cyber threats have ramped up. The U.S. Department of Justice indicted three Russians for running cryptocurrency mixers used to launder cybercrime profits. At the same time, the Biden administration issued a comprehensive cybersecurity executive order to secure federal networks and deter foreign cyber threats. Simultaneously, a federal court ruled that the FBI’s warrantless searches under FISA’s Section 702 violated the Fourth Amendment, marking a significant moment in the fight for digital privacy.
AI ethics and data security are under greater scrutiny as cybersecurity concerns mount. Microsoft's AI Red Team revealed that generative AI models introduce new security risks, while OpenAI’s ChatGPT continues to navigate ethical dilemmas surrounding AI misuse. The combination of government action, corporate accountability, and evolving cyber threats underscores the urgent need for robust digital defenses and regulatory frameworks.
Hackers Intensify Attacks on U.S. Water Utilities
Over the past year and a half, U.S. water utilities have faced a surge of cyberattacks from cybercriminals, hacktivists, and nation-state actors. Notably, pro-Iranian hackers infiltrated a Pittsburgh-area water utility's programmable logic controller (PLC), defacing its touchscreen with anti-Israel messages and forcing a switch to manual operations. Additionally, a significant water operator serving 500 North American communities disconnected its IT and OT networks after ransomware compromised backend systems and exposed customer data. Following an October cyberattack, the largest regulated U.S. water utility also experienced outages in customer-facing websites and telecommunications.
These incidents have prompted warnings and security guidelines from agencies like the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the FBI. The attacks targeted smaller utilities lacking robust security measures, though larger entities were also affected, mainly in their IT systems, without disrupting water services. Experts emphasize the need for enhanced cybersecurity to protect critical infrastructure and maintain public confidence.
Efforts are underway to bolster defenses, particularly for smaller utilities with limited resources. Larger utilities have progressively improved their operational technology (OT) security, with some initiating measures as early as 2000. The recent attacks underscore the urgency for comprehensive cybersecurity strategies to safeguard water systems against evolving threats.
Higgins, K. J. (2024, December 27). Hackers Are Hot for Water Utilities. Dark Reading.
Volkswagen Data Breach Exposes Location Information of 800,000 EVs
A significant data breach at Volkswagen's software subsidiary, Cariad, has exposed the unencrypted location data of over 800,000 electric vehicles (EVs) across brands including Volkswagen, Audi, Seat, and Skoda. The breach, discovered by a whistleblower, revealed precise vehicle locations and, in some cases, personal driver information, leaving owners vulnerable to privacy invasions.
The exposed data included detailed records of vehicle movements, with location accuracy reaching up to ten centimeters for specific models. This level of precision could allow malicious actors to reconstruct individuals' daily routines and personal habits. Cariad has since addressed the security lapse, attributing it to a misconfiguration, and stated that no sensitive information, such as passwords or payment details, was compromised.
This incident underscores the need for stringent data security measures in connected vehicles. As modern cars increasingly rely on software and data connectivity, protecting user information is paramount to maintaining consumer trust and safeguarding privacy.
Bangeman, E. (2024, December 30). Whistleblower finds unencrypted location data for 800,000 VW EVs. Ars Technica.
China's Cyber Intrusions in 2024 Signal Shift Towards Offensive Operations
In 2024, Chinese state-sponsored cyber activities escalated from traditional espionage to pre-positioning for potential disruptive attacks on critical infrastructure. Notably, the FBI and other U.S. federal agencies disrupted a Chinese botnet composed of outdated routers aimed at infiltrating U.S. essential infrastructure facilities. Despite these efforts, the botnet has resurfaced, indicating persistent threats.
Additionally, the hacking group Volt Typhoon compromised at least one prominent U.S. city's emergency services network and has been conducting reconnaissance on multiple American electric companies since early 2023. This behavior suggests a shift from mere intelligence gathering to preparing for potential disruptive operations.
Another group, Salt Typhoon, breached American telecommunications networks in what has been described as the "worst telecom hack in our nation's history." These ongoing intrusions underscore the need for heightened cybersecurity measures across all organizations, especially those connected to critical infrastructure.
Lyons, J. (2024, December 31). China's cyber intrusions took a sinister turn in 2024. The Register.
Tesla Data Sharing in Las Vegas Explosion Raises Privacy Concerns
Tesla's involvement in investigating a Cybertruck explosion in Las Vegas has highlighted the vast amount of data modern vehicles collect. Tesla provided law enforcement with detailed driving data, including the vehicle's route from Denver to Las Vegas, sparking debates over consumer privacy and surveillance risks.
Modern cars have telematics and infotainment systems that track location, speed, and personal data from synced devices. While this data collection is beneficial in emergencies, it raises concerns about unauthorized access and potential misuse, especially in the absence of strong federal regulations on automotive data privacy.
Experts recommend that consumers review privacy policies, limit data sharing, and adjust in-car settings to minimize data exposure. As connected vehicles become more prevalent, balancing technological advancement with consumer privacy protection remains a pressing issue.
SecurityWeek. (2025, January 5). Is your car spying on you? Tesla data sharing in the Las Vegas explosion raises privacy concerns.
Chinese APT Group MirrorFace Targets Japanese Organizations
Since 2019, the Chinese state-sponsored cyber-espionage group MirrorFace has been conducting sophisticated attacks against Japanese organizations to steal technology and national security information. The National Police Agency and the National Center of Incident Readiness and Strategy for Cybersecurity in Japan have warned about MirrorFace's activities, highlighting its use of elaborate phishing campaigns and exploiting network device vulnerabilities.
Targets have included government agencies, politicians, think tanks, and healthcare, manufacturing, education, and aerospace sectors. These cyberattacks are believed to be part of China's efforts to gain leverage over Japan in potential future hostilities. The ongoing attacks emphasize the need for enhanced cybersecurity measures across vulnerable sectors in Japan.
Dark Reading. (2025, January 10). Chinese APT group ransacking Japan's secrets.
DoJ Indicts Three Russians for Operating Crypto Mixers Used in Cybercrime Laundering
The U.S. Department of Justice (DoJ) has indicted three Russian nationals—Roman Vitalyevich Ostapenko, Alexander Evgenievich Oleynik, and Anton Vyachlavovich Tarasov—for allegedly operating cryptocurrency mixing services
and
Recommended by LinkedIn
. These platforms are accused of laundering funds derived from cybercrimes, including ransomware attacks and virtual currency thefts, by obfuscating the origins of illicit cryptocurrency transactions.
Ostapenko and Oleynik were arrested on December 1, 2024, while Tarasov remains at large. If convicted, each defendant faces up to 25 years in prison. This case highlights the ongoing efforts by law enforcement to address the misuse of cryptocurrency for criminal activities and the challenges posed by anonymization technologies.
The Hacker News. (2025, January 10). DoJ indicts three Russians for operating crypto mixers used in cybercrime laundering.
Biden's Cybersecurity Executive Order Provides Blueprint for Trump Administration
In the final days of his presidency, President Joe Biden issued a comprehensive executive order (EO) to strengthen the United States' cybersecurity defenses. This directive addresses critical areas such as securing federal communications, mitigating artificial intelligence (AI) threats, and preparing for the challenges posed by quantum computing. Key provisions include:
The EO mandates stringent cybersecurity requirements for federal contractors, compelling them to demonstrate secure software development practices. This initiative seeks to prevent incidents similar to past supply chain attacks that compromised federal systems.
The order facilitates the imposition of sanctions against foreign entities and individuals engaged in cyberattacks, particularly those linked to nations such as China, Iran, Russia, and North Korea. This measure aims to deter malicious cyber activities targeting U.S. infrastructure.
Recognizing the future risks associated with quantum computing, the EO directs federal agencies to develop and implement encryption methods resilient to quantum-based attacks, ensuring long-term protection of sensitive data.
The timing of this EO, issued just days before President-elect Donald Trump's inauguration, underscores the bipartisan imperative of bolstering national cybersecurity. Experts suggest that the substantive elements of the order are likely to endure, given the shared recognition of evolving cyber threats. The directive provides a strategic framework for the incoming administration to enhance the nation's cyber resilience.
Bracken, B. (2025, January 16). Biden's Cybersecurity EO Gives Trump a Blueprint for Defense. Dark Reading.
Microsoft's AI Red Team Highlights Ongoing Security Challenges
Microsoft's AI Red Team has extensively evaluated over 100 generative AI products, revealing that these models amplify existing security risks and introduce new vulnerabilities. In their preprint paper, "Lessons from Red-Teaming 100 Generative AI Products," the team emphasizes that securing AI systems is an ongoing process that will never be fully complete. They advocate for a comprehensive understanding of each model's capabilities and applications to implement effective defenses. The team also notes that while larger language models tend to adhere better to user instructions, this characteristic can be exploited for malicious purposes. They caution against relying solely on complex, computationally intensive attacks, highlighting that simpler methods, such as user interface manipulation, can be equally effective in compromising AI systems. This underscores the necessity for continuous vigilance and adaptation in AI security measures.
Claburn, T. (2025, January 17). Microsoft's AI Red Team Says Security Work Will Never Be Done. The Register.
U.S. Treasury Sanctions Chinese Entities Linked to Major Cyberattacks
On January 17, 2025, the U.S. Treasury Department announced sanctions against Shanghai-based hacker Yin Kecheng and the cybersecurity firm Sichuan Juxinhe Network Technology Co. LTD. These entities have been implicated in a series of high-profile cyber intrusions targeting major American telecommunications companies and the U.S. Treasury's network. The hacking group responsible, known as Salt Typhoon, exploited vulnerabilities to access sensitive communications, including those of government officials and prominent political figures.
The Treasury's sanctions effectively freeze all U.S.-based assets linked to these entities and prohibit business dealings with them. The sanctions aim to deter further cyber-espionage efforts and disrupt ongoing malicious activities by cutting off financial resources and international operations. Officials noted this marks a significant step in safeguarding national cybersecurity infrastructure against state-sponsored threats.
The breach has prompted calls for tighter security protocols and increased collaboration between public and private sectors to address sophisticated cyber threats. This incident highlights the persistent risks posed by cyber espionage operations and the necessity of comprehensive strategies to protect critical networks.
Associated Press. (2025, January 18). Treasury Levels Sanctions Tied to a Massive Hack of Telecom Companies and Breach of Its Own Network. SecurityWeek.
Court Rules FBI's Warrantless Searches Violated Fourth Amendment
A federal court has determined that the FBI's practice of conducting warrantless searches under Section 702 of the Foreign Intelligence Surveillance Act (FISA) violates the Fourth Amendment. The Electronic Frontier Foundation (EFF) highlighted that in 2021 alone, the FBI performed approximately 3.4 million such searches on U.S. persons' data, describing this as a "routine practice."
The EFF has long advocated for the necessity of warrants in these situations, criticizing Section 702 as a "finders keepers" rule that has historically granted the government extensive access to Americans' private communications. This ruling underscores the ongoing debate over privacy rights and government surveillance, emphasizing the need for reforms to uphold constitutional protections in intelligence operations.
Ars Technica. (2025, January 15). Court rules FBI’s warrantless searches violated Fourth Amendment.
Mysterious Backdoor Discovered in Select Juniper Routers
Since mid-2023, a covert backdoor has been identified in specific Juniper routers across key industries, including semiconductor, energy, and manufacturing. Dubbed "J-Magic" by Black Lotus Labs, this malware variant operates stealthily by monitoring network traffic for specially crafted "magic packets." Upon receiving such a packet, the backdoor establishes a reverse shell, granting attackers command-line access to the compromised device. Notably, the malware resides solely in memory, leaving minimal forensic evidence.
Approximately half of the affected devices function as VPN gateways, amplifying potential security risks. The initial infection vector remains unknown, and Juniper has yet to respond to inquiries regarding this issue. This incident underscores the importance of robust security measures and continuous monitoring within essential infrastructure sectors.
Lyons, J. (2025, January 25). Mysterious backdoor found on select Juniper routers. The Register.