State-Backed Hackers Gained ‘Pre-positioned Access’ to Canadian Water Systems: Cyber Defence Agency

11/28/2025|Updated: 11/28/2025

0:00

Canada’s cyber defence agency has said hackers are increasingly targeting Canada’s water systems, and that hackers backed by foreign states have gained access to these systems and could launch attacks “in times of crisis or conflict between states.”

“We assess that state-sponsored cyber threat actors have almost certainly developed pre-positioned access to Canadian water systems,” the Canadian Centre for Cyber Security (CCSC) said in a Nov. 25 report.

The CCSC said in its report that water systems, which include those related to wastewater and floodwater, are “almost certainly” a priority for these state-sponsored actors to project power. CCSC said these actors have identified and gained access to operational technology systems related to water systems, where they then collect information on assets to “identify opportunities for disruptive or destructive action.”

The report does not list any individual state that could be hacking into Canadian water systems, but the agency previously said that hackers related to the People’s Republic of China “almost certainly pose the greatest ongoing cyberespionage threat to Canada.”

CCSC said in the event of an attack, these actors could cause water tanks to overflow or change the chemical balance of water treatment processes. The report cited a 2013 incident where Iranian actors gained access to the operational system of a small dam in New York state, which could have allowed them to operate the dam’s sluice gates that regulate the flow of water channels.

Last month, the cyber centre reported that “hacktivists” had tampered with water pressure values of a municipality’s water facility and “degraded” service for the community.

In its latest report, CCSC also said Volt Typhoon, a threat actor that engages in cyberespionage on behalf of the Chinese regime, has been targeting water, communication, transportation, and energy organizations since 2021. It said while the threat to the United States by Volt Typhoon is higher than the threat to Canada, “the likelihood of a cyber attack impacting Canada’s [critical infrastructure] is higher than it otherwise might be because of the connections between U.S. and Canadian infrastructure.”

The report states that financially motivated cybercriminals are the most likely cyber threat to affect Canada’s water systems, and they will “almost certainly” continue exploiting water sector organizations using extortion tied to ransomware, exploiting stolen information, and the compromising of business emails.

As an example, the report cited ransomware attacks that targeted water treatment systems in the American states of California, Maine, and Nevada in 2021, which forced system operators to manually operate their systems in order to maintain service.

These ransomware attacks against critical infrastructure systems are also becoming more frequent, costly, and difficult to remediate, according to the report.

In a Sept. 26 statement, Defence Minister David McGuinty and Public Safety Minister Gary Anandasangaree said malicious cyber activity targetting power, water, health, and finance infrastructure are “on the rise and are a real and urgent threat.” They said state-sponsored actors have the ability to pre-position themselves to “disrupt or destroy” critical services in a conflict.

“The Government of Canada is working tirelessly to detect, respond to, and mitigate threats,“ the ministers said. ”We will continue to work with domestic partners and industry on countering and mitigating cyber threats to Canada’s most essential systems.”

The ministers suggested that critical infrastructure operators should take steps to strengthen their defences by using private networks, firewalls, and multi-factor authentication; develop and test incident response plans; conduct tabletop exercises to test responses to cyber attacks; change default passwords; and separate information technology and operational technology environments to “prevent lateral movement” by hackers.

The 2025 Budget proposes $10.9 billion over five years for upgrades to the Department of National Defence, Canadian Armed Forces, and Communications Security Establishment for digital infrastructure, which includes for cyber defence.

We had a problem loading this article. Please enable javascript or use a different browser. If the issue persists, please visit our help center.