A California water utility recently detected over 6 million connection attempts from China-based IP addresses within a single week, highlighting ongoing concerns about Chinese cyber activities targeting U.S. critical infrastructure. The South Coast Water District (SCWD), which serves approximately 40,000 residents, 1,000 businesses, and 2 million annual visitors in Orange County, blocked these attempts between July 15-23, 2025.
The information came to light during an industry webinar hosted by the Water Information Sharing and Analysis Center, where security company ThreatSTOP’s dashboard data was presented. ThreatSTOP’s CEO Tom Byrnes and chief scientist Paul Mockapetris emphasized the importance of implementing geographic access restrictions, noting that local utilities typically have no legitimate need for connections from distant countries.
Beyond Chinese connection attempts, the utility’s firewall also blocked over 34,000 attempts from Bulgaria and more than 21,000 from Iran. The frequency of these attempts underscores the constant probing of U.S. infrastructure systems by foreign entities.
U.S. intelligence officials have identified China as a primary cybersecurity threat, particularly through state-sponsored campaigns like Volt Typhoon, which has reportedly established footholds in critical infrastructure systems. Water utilities are especially vulnerable due to their remote access requirements and, in many cases, limited cybersecurity resources.
Recent incidents highlight the widespread nature of these threats. American Water Works, the nation’s largest regulated water utility, reported a cyberattack in 2024. A smaller Massachusetts utility serving 15,000 people fell victim to Volt Typhoon in 2023. In response to such threats, 2022 legislation now requires critical infrastructure entities to report cyber incidents to the Cybersecurity and
Infrastructure Security Agency within 72 hours.
Research by cybersecurity analyst Erika Langerova revealed concerning patterns in Chinese academic publications, with 367 papers focusing on U.S. power grids and 166 on European grids over the past two decades. These studies primarily examined vulnerabilities and system failures rather than protective measures.
Chinese cyber campaigns have extended beyond utilities to target various sectors, including telecommunications, government agencies, media outlets, and nuclear weapons programs. A recent memo revealed that Chinese hackers had compromised at least one state’s National Guard in 2024.
The threat continues to evolve, as demonstrated by the Salt Typhoon campaign, which attempted to breach 1,000 devices globally between December 2024 and January 2025 by exploiting a Cisco vulnerability. Chinese hackers have also recently targeted political figures through Microsoft SharePoint vulnerabilities.
Microsoft identified multiple Chinese state-sponsored actors, including Linen Typhoon and Violet Typhoon, along with Storm-2603, in recent cyber operations. The company warned that Chinese hackers are likely to continue incorporating newly discovered vulnerabilities into their attacks. According to Eye Security, these recent campaigns have compromised over 400 systems.
The increasing sophistication and frequency of these cyber threats underscore the ongoing challenges faced by U.S. critical
infrastructure operators in protecting their systems from
state-sponsored attacks. While larger utilities may have resources to implement robust cybersecurity measures, smaller operators often struggle to maintain adequate defenses against such persistent and well-funded adversaries.