Chinese cyberattack on US drinking water simulated in secret war game
A classified exercise reveals how the Volt Typhoon group could paralyze water infrastructure, triggering health and economic chaos.
July 11, 2026 · 4 min read

TL;DR: A classified exercise simulated a Chinese cyberattack on US water infrastructure, revealing critical vulnerabilities. The scenario included burst pipes, evacuated hospitals, and devastating economic costs, underscoring the need to strengthen cybersecurity in the water sector.
What happened?
According to a report by Wired, a group of insurers, cybersecurity experts, and officials participated in a classified war game to simulate an attack by the Chinese group Volt Typhoon on US water infrastructure. The closed-door exercise recreated how hackers sponsored by Beijing could take control of water treatment systems, cause massive pipe ruptures, and contaminate the supply. The result was logistical and health chaos: hospitals without water for surgeries, fires without hydraulic pressure, and billions in economic losses. The simulation, organized by insurer Resilience and with participation from the Cybersecurity and Infrastructure Security Agency (CISA), lasted several hours and explored multiple scenarios, from supply disruption to intentional chemical contamination. Participants found that existing response protocols were insufficient to handle a coordinated attack on multiple treatment plants simultaneously.
Why is this important?
This drill is not fiction. The US government has identified Volt Typhoon as a persistent threat that has already compromised communications and energy networks. Water infrastructure, often managed by small local companies with poor cybersecurity, is a particularly vulnerable target. A successful attack would not only cause immediate physical damage but also erode public trust in the safety of drinking water, an essential resource. Historically, attacks on critical infrastructure have been rare, but the rise of state-sponsored groups has changed the landscape. For example, in 2021, a ransomware attack on the Oldsmar, Florida water plant attempted to increase sodium hydroxide levels in the supply, though it was detected in time. Volt Typhoon, linked to China's Ministry of State Security, has been operating since at least 2021, focusing on critical infrastructure in the US and other countries. According to a 2023 Microsoft report, the group has compromised communications and energy networks, but its attention to the water sector is a worrying escalation. The Wired simulation underscores that the lack of regulation and fragmentation of the water sector (over 50,000 water systems in the US) make it difficult to implement uniform security measures.
Expected consequences
- Health impact: Hospitals and dialysis centers would become inoperable without clean water, increasing mortality. In the simulation, hospitals had to evacuate patients and cancel scheduled surgeries, while dialysis centers could not treat kidney failure patients, leading to preventable deaths within days.
- Economic cost: Insurers estimate losses of up to tens of billions of dollars from infrastructure damage, business interruption, and liability claims. In the simulated scenario, insurance claims exceeded $50 billion, a figure comparable to the costliest natural disasters. Businesses that rely on water for industrial processes, such as food and beverage manufacturing, would face prolonged shutdowns.
- Government response: The EPA (Environmental Protection Agency) is likely to tighten cybersecurity regulations for water systems, and Congress may allocate funds for modernization. In 2023, the EPA proposed rules requiring cybersecurity assessments but faced resistance from small operators. After this simulation, adoption of standards like the NIST Cybersecurity Framework may accelerate.
- Public-private cooperation: The exercise revealed the need for real-time threat intelligence sharing between government and the private sector. Currently, threat information on water infrastructure is shared limitedly through analysis centers like WaterISAC, but the simulation showed that response speed requires more direct and automated channels.
- Impact on cyber insurance: Premiums could skyrocket, especially for water utilities and dependent sectors. Insurers are already reassessing their exposure to cyber risks in critical infrastructure, and this exercise could lead to specific exclusions or stricter security requirements for coverage.
What readers should know
Volt Typhoon is not a new group; it has been operating for years and has been linked to China's Ministry of State Security. The simulated attack was based on already observed tactics, such as using living-off-the-land tools and lateral movement in networks. Water utilities must prioritize network segmentation, multi-factor authentication, and staff training. Additionally, cyber insurance becomes crucial, but premiums could skyrocket after this exercise. The simulation also highlighted the lack of contingency plans for a mass contamination scenario. For example, participants were unclear on protocols for issuing regional "do not drink water" alerts or coordinating bottled water distribution to hospitals and homes. A 2024 CISA report already warned that only 30% of US water systems meet basic cybersecurity standards. Compared to other sectors like finance or energy, water is far behind. Meanwhile, groups like Volt Typhoon continue to refine their techniques. The question is not if an attack of this magnitude will occur, but when, and whether the country will be prepared for the consequences.
"It's not a matter of if, but when," said an anonymous participant in the war game.
As the US strengthens its defenses, the question is whether measures will come in time. The Wired simulation serves as an urgent wake-up call for lawmakers, water utilities, and insurers to work together before fiction becomes reality.