62% of utility companies in the U.S. and the U.K. were attacked in the past year; 81% of the breaches compromised identity systems such as Active Directory, Entra ID, and Okta.
Hoboken (U.S.), April 3, 2025 – Critical infrastructures are under siege. This is revealed by a new study published by Semperis, a company specializing in cyber resilience and digital identity, which analyzes the rise in cyberattacks targeting water and electricity operators in the United States and the United Kingdom. The report reflects a troubling situation: 62% of operators suffered some form of attack in the past year, and of these, 8 out of 10 were the target of multiple attacks.
Even more alarming is that 54% of these intrusions caused permanent damage to systems or data loss, underscoring the vulnerability of essential services such as electricity and drinking water supply.
China and Invisible Attacks
One of the most notable cases is the recent attack on a public utility company in Littleton (Massachusetts), attributed to the Volt Typhoon group linked to the Chinese government. American Water Works, the largest water and wastewater utility in the U.S., has also reported unauthorized activities on its network, affecting billing and customer service.
Chris Inglis, the first National Cyber Director in the U.S. and a strategic advisor to Semperis, warns that “many public infrastructures are unaware that state actors like China have already infiltrated.” These groups often resort to silent attacks — known as Living off the Land — that avoid raising alarms and can remain hidden for months or years before activating their malicious payloads.
81% of Attacks Target Identity Systems
According to the study titled The State of Critical Infrastructure Resilience, 81% of cyberattacks against utility services compromised identity systems, such as Active Directory, Entra ID, and Okta, which are key points in authentication and access control. Furthermore, 60% of the attacks originated from state-sponsored groups.
What is most concerning, experts point out, is that 38% of operators believe they have not been attacked, a figure that reflects a significant lack of awareness of their actual exposure to cyber threats.
A Real Threat to Public Health
“The risk is not just digital: losing power, heating, or clean water for hours can have serious consequences for the population,” explains Mickey Bresman, CEO of Semperis. “Companies must accept that breaches will occur and prepare to respond swiftly and securely.”
The lack of operational resilience makes these sectors high-value targets for malicious actors, capable of generating impacts that extend beyond economic issues: from public order disruptions to health risks.
Key Recommendations from the Study
The Semperis report proposes a series of measures to strengthen operational resilience against cyberattacks:
- Identify the critical components (Tier 0) essential for recovery after an attack.
- Prioritize the response and recovery of these systems over secondary or business systems.
- Document and practice response plans through real exercises, involving all relevant personnel, not just the IT area.
- Ensure a quick and secure recovery, preventing attackers from infiltrating backup systems to maintain their presence even after a restart.
An Urgent Call to Action
“The infrastructure that ensures our electricity and water is the foundation of everything we do,” emphasizes Inglis. “And yet, we continue to rely on others to protect it. But no one else will do it for us. We need to act now.”
The complete study, which analyzes responses from 350 security professionals in utility companies, can be downloaded for free from Semperis’s official site: https://www.semperis.com/the-state-of-critical-infrastructure-resilience.
With this report, Semperis reinforces its mission to protect the identity services of the world’s most critical organizations, a task that has become a national security priority in light of the increasing risk of large-scale cyberattacks.
Source: Semperis Study