National Cyber Warfare Foundation (NCWF)

Part 2 – Water Towers Welcome back! We are continuing our series on SCADA hacking. Today, we walk through how we compromised a SCADA system controlling several water towers belonging to a well-known company in Russia. Along with the towers, we also gained access to a range of other SCADA systems within the organization from […]

The post SCADA Hacking: Inside Russian SCADA/ICS Facilities, Part 2 first appeared on Hackers Arise.

Part 2 – Water Towers

Welcome back! We are continuing our series on SCADA hacking. Today, we walk through how we compromised a SCADA system controlling several water towers belonging to a well-known company in Russia. Along with the towers, we also gained access to a range of other SCADA systems within the organization from refrigerators to milk pasteurization systems. This example shows just how vulnerable SCADA systems can be and how often they are poorly secured.

In our experience, Russian system administrators rarely segment SCADA systems from Active Directory, allowing attackers to move laterally once a vulnerable host is compromised. Even though this particular company did not have a properly configured AD, we still managed to compromise all hosts due to password reuse. This example is beneficial for both defensive and offensive operations. Let’s take a closer look.

Initial Access

It began with access to a database system. The sysadmin had made some effort to isolate the machine, and none of the locally dumped SAM hashes were useful. No cleartext credentials were found in the registry, PowerShell history, or local files. The host was used for development and maintenance of the company’s database, which was outsourced to a third-party provider.

We deployed Inveigh to listen for NTLMv2 hashes. Inveigh is similar to Responder and works by capturing hashes when a user attempts to access a nonexistent share. Windows automatically tries to authenticate with the host it thinks is running the share, sending NTLMv2 credentials, which we captured and later cracked. The image above was taken from the internet to demonstrate what it looks like.

Cracking Hashes

After collecting hashes, we used hashcat with a basic rockyou.txt dictionary file. Several passwords were cracked, giving us access to an accountant’s machine – our first step into the actual network. Surprisingly, this user had local admin rights. From there, we dumped local SAM hashes, including one used across multiple machines and SCADA servers running on Windows 7.

Windows 7 Vulnerabilities

Windows 7 is outdated and lacks security measures available in newer systems. It is still used in many SCADA environments. Without protections like LSASS memory dump prevention (LSASS PPL), it’s easier to obtain credentials. Using nxc (CrackMapExec) with the –lsa option, we dumped LSASS and got the Admin’s actual password.

If you are attacking from Linux, tools like xfreerdp allow pass-the-hash attacks. If you’re stuck on a Windows host, you will need the actual password to use RDP or SMB for lateral movement.

Inside the SCADA Server

With RDP access, we entered the SCADA server. It had graphical dashboards showing refrigerators and milk pasteurization systems. These dashboards gave real-time visual representations of the system status.

Graphical interface from a pasteurization control system

Refrigeration monitoring interface for various cold storage

**ice water system** status and its **inlet/outlet temperature**s

We explored further and found additional SCADA schemas developed by the engineering team. This included schematics and visual layouts of system operations.

process flow diagram for **sour cream** **production**

MasterSCADA

We encountered MasterSCADA, a common SCADA management application used across several Russian companies. On multiple occasions, we were able to gain access by logging in with the default “sa” user and a blank password. If you come across this app, try the same set of credentials. It might be a direct line into the system’s control logic.

Water Tower Access

The most critical discovery was the set of water towers. They were part of the same SCADA system and required no additional pivoting to access. Reconnaissance revealed images of the physical towers and their drainage pond. The SCADA interface showed real-time stats including pressure and temperature.

Typically, pressure drops to zero during the night when the plant is idle and rises during the day. These towers had temperature control features to heat water when needed.

**SCADA visualization screen** for a **water tower system**

As mentioned in Part 1, hacking SCADA isn’t just about destroying a Windows machine it’s hosted on. You need to understand how the system operates and take on the mindset of an engineer. Research is a key part of that process. When dealing with water towers and pipe networks, pushing pressure to the maximum is rarely safe. Most water systems are designed to run between 2 to 4 bar (30–60 psi). Spiking the pressure to 5 bar can cause serious damage. Weak pipes might burst, fittings and joints can start leaking, and plastic components like PVC may fail under the stress.

At night, when demand is low, the risks are even higher. A sudden increase in pressure, followed by a valve closing or a pump shutting off, can create a water hammer – a pressure wave that travels through the system. This kind of shock can damage valves, rupture meters, or even affect the structure of the water tower itself.

To fully understand the possible impact, you need to assess the physical state of the facility. One way to do that is through remote camera access. Cameras give you real-time visuals and help confirm what’s happening inside the plant. That’s why learning camera exploitation is important. OTW stresses its value because it lets you observe and interact with the environment beyond the system itself, giving you control on another level.

After analyzing the infrastructure, we assessed that the plant relied entirely on these towers. They provided water for everything from the production line to the staff canteen. In similar environments, a sudden pressure spike might even cause contamination if backflow prevention fails.

Water tower system pressure and temperature readings

That’s exactly what was done. The pressure in the system was raised to its maximum and left that way throughout the night. This wasn’t a random action. It was calculated, based on how the system operated and how the infrastructure was built. By the time the facility resumed work in the morning, the pressure had been sustained at critical levels for several hours. This isn’t a one-off operation. The plan is to repeat the attack nightly until the system is significantly damaged, ensuring maximum disruption and long-term consequences for the target.

Conclusion

This operation showed how weak and exposed SCADA environments still are, especially when basic principles like network segmentation and unique credentials are ignored. From a single foothold, it was possible to move laterally, compromise credentials, and take full control of critical infrastructure without resistance. The takeover of multiple water towers proves that SCADA is more than just software, it directly connects to the physical world, and mishandling it can bring real, visible consequences. As long as outdated systems remain in place and common security flaws are left unchecked, these types of intrusions will remain inevitable.