Incidents disclosed over the past week have included attacks targeting Internet service providers and a municipal water treatment system.

Threat actors continue to intensify their targeting of U.S. critical infrastructure providers, as demonstrated by a series of recently disclosed attacks.

This week has seen incidents disclosed including attacks targeting internet service providers and a cyberattack that impacted a municipal water treatment system.

[Related: 10 Major Cyberattacks And Data Breaches In 2024 (So Far)]

The incidents follow a disclosure by the FBI earlier this month that China-linked hackers had compromised more than 260,000 network devices. Meanwhile, in August, security researchers said Internet service providers and MSPs were being targeted in attacks attributed to the Chinese government.

What follows are five things to know on the latest critical infrastructure cyberattacks.

Water Treatment System Attack

This week, a small city in Kansas, Arkansas City, disclosed that it had “encountered a cybersecurity issue” that affected its water treatment facility early in the morning Sunday. The attack forced the facility to switch to manual operations, according to a statement from the city.

There was “no disruption to service” from the incident, though the city said that “out of caution, the Water Treatment Facility has switched to manual operations while the situation is being resolved.”

“The water supply remains completely safe,” said the city, which has about 12,000 residents, in its statement.

CISA Warns Of Water, Wastewater System Attacks

In an advisory released Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned about attacks targeting water and wastewater systems.

“CISA continues to respond to active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector,” the agency said in the advisory, though it did not mention the municipal attack in Kansas.

The attacks that CISA has responded to recently along these lines have notably utilized “unsophisticated” tactics, according to the agency.

“Exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm,” CISA said in the advisory.

ISPs Reportedly Attacked

A cyberattack campaign connected to the Chinese government has targeted Internet service providers in the U.S. “in recent months,” with the threat actors seeking to obtain sensitive data, according to a report Wednesday from the Wall Street Journal.

The attacks managed to breach a “handful” of U.S. ISPs, the report said. Names of the reportedly impacted ISPs were not included in the WSJ report.

The campaign is reportedly being referred to as “Salt Typhoon,” which appears to follow Microsoft’s naming convention for threat actors associated with China.

CRN has reached out to the FBI for comment.

SOHO Device Attacks

On Sept. 18, the FBI and other federal agencies disclosed that a massive cyberattack campaign linked to China had targeted U.S. networks through compromising devices including routers and firewalls.

The advisory from the FBI, NSA and Cyber National Mission Force (CNMF) indicated that the campaign attributed to a China-based company, Integrity Technology Group, had been disrupted. The attackers had compromised more than 260,000 devices as of June, and had controlled a network of infected devices as far back as mid-2021, according to the agencies.

Internet-connected devices targeted in the attacks included small office/home office (SOHO) routers as well as firewalls, network-attached storage and IoT devices, the agencies said.

The devices together formed an assembly of malware-infected devices, known as a botnet, which threat actors aimed to use for launching attacks against victims in North America, Europe, Asia and other regions, according to the advisory.

Attacks Exploiting Versa Vulnerability

In late August, security researchers indicated that ISPs and MSPs were the main targets of a cyberattack campaign exploiting a Versa Networks SD-WAN vulnerability and linked to the Chinese government. Versa did not respond to a request for comment.

Researchers at Lumen Technologies disclosed that victims of the Versa zero-day vulnerability exploit campaign had included “four U.S. victims and one non-U.S. victim.” The victims are all in “the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors,” and were targeted as far back as June 12, according to the researchers.

The attacks were attributed to the threat group tracked as “Volt Typhoon,” which has previously been cited by U.S. agencies for attacks targeting critical infrastructure providers.