Hackers Said They Gained Access to Pumps, Chlorine Dosing and Pressure Settings

Canada’s Communications Security Establishment, the Maple Leaf version of the U.S. National Security Agency, refreshed a warning to the country’s water sector, revealing for the first time that Russian hackers attacked operational technology systems at a Quebec municipality utility last year.
See Also: Beat the Breach: Outsmart Attackers and Secure the Cloud
The spy agency’s latest annual report, published Monday, did not identify the municipality, or provide any technical details of the intrusion. It did reveal that CSE found out about the hack on Oct. 7 from an online claim of responsibility made by NoName057(16), a Russian hacker group.
CSIRTAmericas, a multi-national incident response clearing house that’s part of the Organization of American States, “relayed NoName’s claim of unauthorized access to a Quebec municipality’s water treatment plant,” the report states. The hackers claimed they had achieved “the ability to covertly control pumps, chlorine dosing, pressure settings and monitoring/alerts systems.”
The report does not make clear whether the claim of access by NoName is accurate or not, and Russian hacktivist groups often make unfounded claims about their operations. Such claims are an important part of the information-warfare aspect of their campaigns (see: Google: Kremlin Expands AI-Backed Campaigns Across Europe, US).
A CSE spokesperson, who asked for anonymity, said in a statement the agency “cannot provide further information.” The statement touted the work of CSE’s Cyber Centre with the CSIRTAmericas Network, and other international partners, saying they “work together to identify, assess and mitigate cyberthreats.”
The failure of the utility to independently detect the attack illustrates the difficulty of adequately defending OT, given the rudimentary state of security in many OT operators.
NoName was identified in a U.S. indictment unsealed in December as a “covert project” of Russian state security whose membership included many staff members of The Center for the Study and Network Monitoring of the Youth Environment, “an information technology organization established by order of the President of Russia in October 2018.”
The indictment charged Ukrainian national Victoria Eduardovna Dubranova for her role in conducting cyberattacks and computer hacking intrusions against critical infrastructure organizations and other victims in Europe and beyond. She was arrested and extradited to the United States in 2025 (see: US Warns of Ongoing Pro-Russia Critical Infrastructure Hacks).
A takedown of NoName infrastructure conducted by European authorities in July 2025 didn’t stick, according to the Nordic Observatory for Digital Media and Information Disorder, an independent non-profit monitoring cyber and information warfare. The group reported that NoName ceased operations only for a few weeks.
The U.S. Department of State offers a reward up to $10 million for information leading to the “identification or location” of any members of the group, which it said had conducted more than 1,500 distributed denial-of-service attacks on websites of governments, news agencies, militaries, telecom providers and other critical infrastructure in Ukraine and neighboring NATO members – including Estonia, Finland, Lithuania, Norway, Poland and Sweden – as part of the Russian grey zone campaign against Ukraine’s allies.
The CSE warned the water sector twice last year: In October about the risk to internet-exposed ICS and OT systems in critical infrastructure. And the following month about possible cyberthreats to water utilities more generally.
