This site uses cookies for analytics and to improve your experience. By clicking Accept, you consent to our use of cookies. Learn more in our privacy policy.

Russia-linked cyber activity puts UK water systems in the crosshairs

February 13, 2026

HYBRID WARFARE

Hacktivist groups aligned with Moscow are increasingly targeting water utilities, raising the risk of real-world service disruption across the UK and NATO countries.

BRITAIN’S water supplies could face major disruption as pro-Russia hacktivist groups and ransomware networks increasingly target critical infrastructure systems that control distribution, according to a new report.

It follows a warning this week from the UK’s National Cyber Security Centre (NCSC) that utilities, transport providers and other essential services must strengthen monitoring, resilience planning and recovery capabilities after coordinated malware attacks targeting Poland’s energy sector, highlighting the growing risk of real-world service disruption.

Now, a new security assessment by Sibylline has identified pumping stations, treatment plants and water distribution networks as key vulnerabilities, with adversaries increasingly targeting operational technology (OT), the industrial control environments that regulate physical infrastructure.

Denise Schipani, analyst for cyber and geopolitical intelligence, said the past six months had seen a sharp rise in activity directed at critical infrastructure, with water systems emerging as a particular focus.

“It’s really just the last six months where we’ve seen a spike in reporting in terms of how much critical infrastructure in Europe is being targeted — but specifically water infrastructure, and also a focus on the UK,” she said.

Recent incidents underline the trend.

In Norway, a cyber intrusion at a dam manipulated water outflow valves, releasing millions of litres of water before operators regained control.

Danish authorities later revealed that attackers linked to a pro-Russia hacktivist group had compromised a water utility facility, altering pump pressure and causing burst pipes.

Elsewhere, threat researchers reported attempts to penetrate a decoy water treatment plant, signalling growing interest in operational technology environments.

Official disclosures also show that UK water companies have already experienced multiple cyber-related incidents.

Data released by the Drinking Water Inspectorate indicated that between 2023 and late 2024 the regulator received 15 incident notifications involving water company digital systems, five of which were confirmed as cybersecurity-related.

While none affected the treatment or supply of drinking water, officials warned that compromises affecting corporate IT environments could still provide pathways toward operational technology systems controlling physical processes.

Water infrastructure is considered an attractive target for hybrid operations because disruption is immediately visible to the public while typically remaining below the threshold of conventional military escalation.

Even temporary service outages can generate political pressure, economic costs and public anxiety, enabling threat actors to demonstrate capability and impose disruption without triggering a direct military response.

Analysts say such attacks often aim less at immediate destruction than at demonstrating capability and signalling vulnerability.

Schipani warned that even relatively unsophisticated tactics can enable significant disruption when basic cyber hygiene is lacking.

“These groups literally just use default credentials — it’s sometimes just as simple as the essentials,” she said.

“If you can get yourself within an IT environment, there’s a possibility you’re getting closer to that second environment — the OT environment — which actually operates the physical components of critical infrastructure.”

Alongside state-aligned hacktivist activity, the sector is also facing rising financial risk from ransomware groups seeking to exploit the large volumes of sensitive customer and operational data held by utilities.

Recent attacks on water authorities in Europe disrupted email systems, workstations and mapping services, highlighting the continued vulnerability of sector-wide IT environments even where industrial systems remain intact.

Alexander Lord, lead Europe analyst, said the campaign against infrastructure formed part of a broader Russian hybrid warfare strategy designed to impose long-term economic and psychological costs on Western societies rather than trigger immediate military escalation.

“The cyber operations across Europe are primarily designed to achieve more long-term strategic goals — steadily undermining industrial readiness, civilian psychological resilience, inflicting financial costs, and sowing division and confusion,” he said.

“Any amount of disruption or psychological impact is to the net benefit of Russia.”

Such operations are also relatively inexpensive for the Kremlin, he added, as many cybercriminal groups operate independently but in ways that align with Russian state interests.

“A lot of these groups would do it anyway because they are financially driven — it’s merely that there’s a symbiosis in terms of outcome,” he added.

According to the NCSC, many cyber campaigns targeting UK organisations are driven by ideology rather than financial gain, with the agency saying recent operations have been politically motivated and linked to the UK’s support for Ukraine.

“We continue to see Russian-aligned hacktivist groups targeting UK organisations, and although denial-of-service attacks may be technically simple, their impact can be significant,” said Jonathan Ellison, the NCSC’s director for national resilience.

Analysts warn that vulnerabilities within critical infrastructure mean disruption risks remain significant as geopolitical tensions persist.

“Critical infrastructure is a key target, and it is often poorly secured and poorly understood from a security perspective,” Schipani said.

“Actors are developing the capability not only to infiltrate these environments but to control them.

“We have not really connected the dots as to why these attacks matter in the same way we think about conventional threats — and these capabilities can directly affect our ability to provide essential services.”

Stay ahead of emerging risks. Get notified whenever Sibylline Media releases a new report.