| The Record from Recorded Future News
therecord.media
Alexander Martin
November 3rd, 2025
The U.K.'s water suppliers have reported five cyberattacks since January 2024, according to information reviewed by Recorded Future News. The incidents did not affect the safety of water supplies, but they highlight an increasing threat.
None of the attacks impacted the safe supply of drinking water itself, but instead affected the organizations behind those supplies. The incidents, a record number in any two-year period, highlight what British intelligence warns is an increasing threat posed by malicious cyber actors to the country’s critical infrastructure.
The data shared by the Drinking Water Inspectorate (DWI) showed the watchdog received 15 reports from suppliers between January 1, 2024, and October 20, 2025. These were sent under the NIS Regulations, which is just one part of the extensive legal framework governing the security of drinking water systems in Britain.
Of these reports, five regarded cybersecurity incidents affecting what the DWI called “out-of-NIS-scope systems” with the others being non-cyber operational issues. Further details of the 15 reports were not shared with Recorded Future News..
Currently, the NIS Regulations limit formally reportable cyber incidents to those that actually result in disruption to an essential service. If British infrastructure suppliers were impacted by hacks such as the pre-positioning campaign tracked as Volt Typhoon, suppliers would not have a legal duty to disclose them.
DWI said the five incidents that were disclosed to the watchdog were shared for information purposes because they were considered to be “related to water supply resilience risks.”
British officials are expected to try to amend this high bar for reporting when the government updates those laws through the much-delayed Cyber Security and Resilience Bill, when it is finally introduced to Parliament later this year.
A government spokesperson said: “The Cyber threats we face are sophisticated, relentless and costly. Our Cyber Security and Resilience Bill will be introduced to Parliament this year and is designed to strengthen our cyber defences — protecting the services the public rely on so they can go about their normal lives.”
Five reports better than none
That the reports were made despite not being required by the NIS Regulations was a positive sign, said Don Smith, vice president threat research at Sophos.
“Critical infrastructure providers, like any modern connected enterprise, are subject to attacks from criminal actors daily. It is no surprise that security incidents do occur within these enterprises, despite the compliance regimes that they’re subjected to,” Smith told Recorded Future News when asked about the data.
“I think we should be encouraged that these reports were shared outside of the scope of the NIS Regulations. It is very useful for critical infrastructure operators to understand the nature of these attacks, both in the case of commodity threats and if there’s an advanced adversary operating, and a culture of information sharing helps widen everyone’s aperture.”
Although there have been ransomware attacks against the IT office systems used by water companies — including on South Staffs Water in the U.K. and Aigües de Mataró in Spain — it is extremely rare for cyberattacks on water suppliers to actually disrupt supplies.
In one rare case of a successful attack on an OT (operational technology) component, residents of a remote area on Ireland’s west coast were left without water for several days in December 2023 when a pro-Iran hacking group indiscriminately targeted facilities using a piece of equipment the hackers complained was made in Israel.
The U.S. federal government had issued a warning about the exploitation of Unitronics programmable logic controllers (PLCs) used by many organizations in the water sector. Attacks on PLCs, core technology components in a lot of industrial control systems, are one of the main concerns of critical infrastructure defenders.
Initiatives to improve the security of water systems in the United States faltered under the Biden administration when water industry groups partnered with Republican lawmakers to put a halt to the federal efforts, despite significant increases in the number of ransomware attacks and state-sponsored intrusions.
Last week, Canadian authorities warned of an incident in which hacktivists changed the water pressure at one local utility among a spate of attacks interfering with industrial control systems.
Britain's National Cyber Security Centre encourages critical infrastructure providers to ensure they have properly segmented their business IT systems and their OT systems to reduce the impact of any cyber intrusion. In August, the agency released a new Cyber Assessments Framework to help organizations improve their resilience.
“Commodity rather than targeted attacks remain the most likely threat to impact critical infrastructure providers. The messaging I pass to CISOs and the people managing risk in these organizations is to worry about defending from the everyday as opposed to defending from the exotic,” said Smith.
“They’re expected to do both, but the much bigger risk is that we end up with a major piece of our CNI knocked offline because of a ransomware attack. I worry about people thinking about investing huge amounts in monitoring esoteric systems when they’re actually not protecting themselves from the basics.”
washingtonpost.com
By Joseph Menn
More than a half-dozen federal departments and agencies backed a proposal to ban future sales of the most popular home routers in the United States on the grounds that the vendor’s ties to mainland China make them a national security risk, according to people briefed on the matter and a communication reviewed by The Washington Post.
The proposal, which arose from a months-long risk assessment, calls for blocking sales of networking devices from TP-Link Systems of Irvine, California, which was spun off from a China-based company, TP-Link Technologies, but owns some of that company’s former assets in China. The ban was proposed by the Commerce Department and supported this summer by an interagency process that includes the Departments of Homeland Security, Justice and Defense, the people said.
“TP-Link vigorously disputes any allegation that its products present national security risks to the United States,” Ricca Silverio, a spokeswoman for TP-Link Systems, said in a statement. “TP-Link is a U.S. company committed to supplying high-quality and secure products to the U.S. market and beyond.”
If imposed, the ban would be among the largest in consumer history and a possible sign that the East-West divide over tech independence is still deepening amid reports of accelerated Chinese government-supported hacking. Only the legislated ban of Chinese-owned TikTok, which President Donald Trump has averted with executive orders and a pending sale, would impact more U.S. consumers.
None of the agencies involved responded to requests to comment on the proposal, which is now back in the hands of Commerce. While Commerce initially proposed the ban and sought the interagency review, it has taken no action since that process was completed. It could still decide to not issue a ban against TP-Link routers or could reach an agreement with the company for a different resolution of its concerns. The White House, which the people said supported the proposed ban, could also change its mind.
A former senior Defense Department official and two other people familiar with the details described the ban proposal to The Post; they spoke on the condition of anonymity to reveal internal deliberations. One of those people and four other current officials confirmed that the proposal had secured interagency approval.
A White House spokesperson asked about the proposed ban declined to address it specifically. “We are aware of active efforts by the Chinese government to exploit critical security vulnerabilities and are working with all relevant parties to assess exposure and mitigate the damage,” the spokesperson said.
Trump met Chinese leader Xi Jinping on Thursday in South Korea, where they reached an agreement that lowered the temperature of the conflict over trade between the two countries. The negotiations leading to that deal have made any move toward banning TP-Link routers less likely in the near term, two of the people said. One of them said the administration viewed TP-Link as a bargaining chip in further U.S.-China trade talks.
A spokesman for TP-Link Systems, Jeff Seedman, called it “nonsensical to suggest” that any measure taken against the company could serve as a “bargaining chip” in U.S.-China talks. “Any adverse action against TP-Link would have no impact on China, but would harm an American company,” he said.
Commerce officials concluded TP-Link Systems products pose a risk because the U.S.-based company’s products handle sensitive American data and because the officials believe it remains subject to jurisdiction or influence by the Chinese government. TP-Link Systems denies that, saying that it fully split from the Chinese TP-Link Technologies over the past three years. The Commerce proposal mentions the prospect that the company could offer a deal after notification that would satisfy the government and forestall a ban, one of the people said, but the government would have to be certain that key hardware and software was being developed without influence from China.
TP-Link Systems has sole ownership of some engineering, design and manufacturing capabilities in China that were once part of China-based TP-Link Technologies and operates them without Chinese government supervision, according to company spokeswoman Silverio. TP-Link Technologies serves only the Chinese market, she said. U.S.-based TP-Link Systems has about 500 employees in the U.S. and about 11,000 in China, Silverio said, adding that some of them work in facilities physically adjacent to those still owned by TP-Link Technologies.
TP-Link Systems’s website says it has 36 percent of the U.S. market for home routers by direct unit sales, while other estimates and congressional testimony put the share above 50 percent. A substantial portion of TP-Link routers and those of its competitors are purchased or leased through internet service providers, industry analysts said.
Federal regulations partly based on executive orders issued by Trump in his first term and by President Joe Biden empower the commerce secretary to make a risk assessment of transactions in “information and communications technology or services” that involve material from entities “controlled by, or subject to the jurisdiction or direction of foreign adversaries” and may therefore pose an “undue or unacceptable” security risk.
Last year, Commerce Secretary Gina Raimondo blocked U.S. sales of antivirus software from Russia’s Kaspersky Lab, noting the extensive access such security programs have to computers. “Russia has shown it has the capacity — and even more than that, the intent — to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans, and that’s why we are compelled to take the action we are taking today,” Raimondo said at the time. Kaspersky denied that its U.S. activities posed a security risk.
Under the law, if the commerce secretary determines there is a security risk from foreign-influenced technology, the department can suggest ways to mitigate those risks. In the case of TP-Link Systems, Commerce officials decided that no mitigation short of a prohibition would suffice, according to the people briefed on the interagency review.
Seedman said any concerns “are fully resolvable by a common-sense mix of measures like onshoring key development functions, making strong and coordinated investments in cybersecurity, and being transparent with the government.” TP-Link Systems, he added, “has repeatedly sought Commerce’s input as to where the government believes there could be residual concerns. Commerce has so far not responded to TP-Link’s outreach in that regard.”
The proposed ban’s approval by the other federal departments returned it to Commerce, leaving the department free to issue a formal notification to TP-Link Systems that would give the company 30 days to respond. Commerce would then have 30 days to consider any objections before any ban would take effect.
The Post could not determine why Commerce has not taken further action. Some of those briefed said officials might by leery of stepping on any toes in the White House, especially amid trade talks with China that involve other technology issues. More recently, the government shutdown has become the top priority at Commerce and is occupying the time of the officials who remain on the job, the people said.
None of those interviewed for this article said they knew of any substantive objections inside government to the ban, which has been sought by members of both parties in Congress.
Paul Triolo, a partner at DGA Group in Washington who monitors U.S.-China technology issues, said recently it was not clear whether the interagency decision required an additional White House sign-off. “It may be too small of a thing to create a reaction from China,” he said.
Sen. Tom Cotton (R-Arkansas), who chairs the Senate Intelligence Committee, pushed for an investigation of TP-Link and is frustrated that no action has been taken, a spokesman said. “The continued sale of networking equipment linked to communist China in the United States puts our security at risk and American competitors at a disadvantage,” Cotton told The Post.
Many brands of home and small office routers, including those from TP-Link, have been used as stepping stones in recent years by Chinese government-supported hacking groups, which break into them to disguise where they are coming from, government and private-sector cybersecurity officials determined.
Some security experts have complained that the company has been slow to fix flaws after they are exposed. Last month, TP-Link Systems said it was still working to patch U.S. routers exposed to a high-severity weakness that had been reported in May. The company said its response time was within industry norms and that some measures show it has fewer reported flaws than rivals.
TP-Link Systems gear did not play a notable role in the major hack of U.S. telecommunication carriers exposed more than a year ago, which Sen. Mark R. Warner (D-Virginia) called the “worst telecom hack in our nation’s history.” But Microsoft said last year that hacked TP-Link Systems routers made up most of a covert network used by Chinese attackers since at least 2021 to steal log-in credentials from the software giant’s sensitive customers.
Microsoft said that network was used by multiple Chinese groups on spying missions. TP-Link Systems issued a patch for the vulnerable devices in November, four months after they were reported being hacked, even though they had been designated as end-of-life and too old for such updates. TP-Link said its action showed its willingness to go beyond what was legally required to help with security issues.
Some other U.S. router makers also depend on manufacturers in China. But U.S. officials said they are more concerned about TP-Link because under Chinese law companies there must comply with intelligence agency requests and notify Beijing of security flaws. They said the Chinese arm could even be compelled to push out software updates that could change the way the devices function.
California-based TP-Link Systems said it is “not subject to the direction of the PRC [Chinese government] intel apparatus.” It told The Post that only U.S. engineers can push updates to U.S. customers.
TP-Link Systems is owned by one of the two brothers who started TP-Link Technologies in China and his wife. The company said the brother in Irvine, chief executive Jeffrey (Jianjun) Chao, is pursuing U.S. citizenship and plans to expand the company’s American workforce.
A federal judge hearing an unrelated patent dispute in Texas against TP-Link Technologies concluded two years ago that frequent changes in that company’s corporate structure seemed designed to avoid accountability, telling an attorney for the Chinese company that “the evidence that we have indicates that your clients are deliberately trying to hide their relationship with TP-Link USA,” as the American operation was called at the time.
“The Texas case did not even involve TP-Link’s California company,” Silverio told The Post. “The defendants in that case were TP-Link foreign entities that were not affiliated with the California company at the time. The defendants later became affiliated with TP-Link’s California entity after a series of corporate reorganizations.”
It is unclear exactly which networking products would be covered under what is technically defined as a “prohibition” by Commerce on certain transactions, though they would include home and small office routers.
In related work on TP-Link Systems, the Justice Department’s antitrust unit is weighing criminal charges, based on claims that TP-Link products have been subsidized by the Chinese government and artificially priced under U.S. rivals, according to the people briefed on the interagency discussions. The company says it does not price products lower than they cost to make, and its spokeswoman said it has not heard from the Justice Department regarding an antitrust probe but would cooperate with any investigation.
The interagency probe began under the Biden administration and gained steam after the inauguration amid Trump’s tough talk on China, officials said. The possibility of a ban was first reported by the Wall Street Journal late last year, and the criminal antitrust probe was reported in April by Bloomberg News. Bloomberg reported this month that the administration was considering other actions.
