Prayukth K V
A significant cyber incident involving OT infrastructure that played out over the last few weeks went mostly unnoticed. The compromise of Venice’s San Marco flood control pumps that occurred in later March/Early April, underscores a critical tectonic shift. Sophisticated attacks on OT are no longer confined to digital disruption but are increasingly moving toward real-world physical impact. Let's hope this doesn't become the norm from here. This evolution also signals a major change in adversary priorities, with OT systems now sitting firmly in the crosshairs of hactivists and state-backed actors.
The threat actor, in this instance, operating under assumed names such as “Infrastructure Destruction Squad” or “Dark Engine,” has claimed to have gained administrative access to the system. According to the group, they could “disable defenses and flood coastal areas,” effectively turning a digital intrusion into a potential physical disaster. As per the latest update from the threat actor, they have been locked out of the network.
In today’s blog post we do a deep dive into this incident and highlight key aspects that may have been overlooked. We will also recommend ways in which such intrusions can be prevented.
As always, before moving forward, don’t forget to check out our previous blog post on East-West traffic monitoring in OT to meet NERC CIP-015 requirements here.
History of this incident
As per Shieldworkz research validated by Telegram logs, the breach began sometime in late March (possibly around the 18th), with attackers obtaining access to the control interface of the anti-flooding system (specifically the hydraulic pumping system that prevents Venice from going under water). In the first week of April, the hackers started sharing evidence of access including screenshots of control panels, system layouts and valve states. They claimed to control the ability to prevent flooding and even offered to sell complete root access for a consideration of US$ 600 (raised to $650 later).
Here is the timeline of this incident
Phase | Date | Event |
Initial access | Late March 2026 (around 18th March) | Attackers breach the control interface of the Sistema di Riduzione Rischio Allagamento. |
Persistence and recon | First week of April 2026 | Attackers map valves, pneumatic sensors, and HMI layouts; evidence release begins on Telegram. |
Government audit | Post-Easter 2026 | Italian authorities conduct "new checks" and equipment tests. Tests initially appear "positive" (safe). |
The "message" | April 12, 2026 | Threat actor reveals they remained in the network during tests and deliberately chose not to flood the city. |
Monetization | April 13, 2026 | Full root access to the pump system is offered for sale on 5 underground forums for $600. |
Adversary Hypothesis
Actor: Infrastructure Destruction Squad (Dark Engine).
Origin/Affiliation: Mandarin-speaking (posts made in Chinese). The low price point ($600) suggests a "hacktivist-for-hire" or a state-sponsored "pre-positioning" unit pulling off an operation masked as low-level criminals. Money is certainly not the motivation here. Chinese threat actor APT 41 is known to run multiple front organisations and affiliates to maintain plausible deniability.
Motivation: Strategic signalling. The goal was not destruction (at least in the short term), but proving that Chinese threat actors can gain access to critical infrastructure. This was about proving that very point.
In another post, the alleged hackers claimed that they were operating with ostensibly noble intentions (where have we heard it before?). They claimed that their goal was to expose weaknesses in the way critical infrastructure security was being managed and bring in some political pressure to fix these gaps (they did say that). If the goal was so noble, why would they sell root access for US$ 600? The group said that the low value quoted was to show how easy and cheap it is to gain access to a system that can then be used for mischief. This is a new level of messing around.
This claim falls flat when one reads their latest update (posted on April 12th) on Telegram. As per that update, the group claimed to have built a tool that it will use to target energy companies (screenshot attached). They have also made specific threat against Italy.
Screenshot from the group's Telegram channel.
Here is the message the Infrastructure Destruction Squad posted on the Telegram channel while announcing the attack.
“We announce the hacking of the system: SISTEMA DI RIDUZIONE RISCHIO ALLAGAMENTO (Flood Risk Reduction System) belonging to the Italian Ministry of Infrastructure and Transport. We have taken full control of the system. Political objective: To expose the vulnerability of Italy’s critical infrastructure. Control of this system enables the disabling of floodgates, flooding of coastal areas, and political blackmail of the Italian government. Offer for sale: We are granting full root access to the control system. The price is 600 USD for any party wishing to purchase access.”
It should be noted that the specific entity managing the pumps is the Provveditorato per le Opere Pubbliche del Triveneto (which reports to the Ministry of Infrastructure and Transport).
As per the Infrastructure Destruction Squad, a security team from the Venice Water Authority had conducted some tests to validate the intrusion but couldn’t do so. As per recent updates from the Ministry (as of April 12), they did detect "anomalous traffic" but failed to realize the level of persistence the attackers had achieved via the HMI's web server. The ministry therefore clarified that the detection was successful but the scope of the breach was underestimated.
In the latest update posted earlier today, the group said "Haha, the Italian authorities kicked us out of the network. Haha don't worry, we'll launch attacks. Shut up." If we were to go by this update, it seems like Venice Water Authority has regained control.
About the infrastructure
The pumping system seems to be part of the MOSE (Italian: Modulo Sperimentale Elettromeccanico, lit. 'Experimental Electromechanical Module') project that is designed to protect the city of Venice, Italy, and the Venetian Lagoon from flooding. As per Wikipedia, this project is essentially a set of mobile gates residing on the seafloor of Lido, Malamocco, and Chioggia inlets, that can be raised to temporarily seal off the Venetian Lagoon from the Adriatic Sea during high tides. “Together with other measures, such as coastal reinforcement, elevation of quaysides, and paving and improvement of the lagoon, MOSE is designed to protect Venice and the lagoon from tides of up to 3 metres (9.8 ft). As of 2023, the floodgates are raised for tides forecast to be more than 1.30 metres.”
During normal tides, the gates are filled with water and lie on the seabed. When high tides are forecast, the water inside these gates is removed by pumping in compressed air that causes the gates to rise above high tide. This creates a barrier that seals the lagoon from the sea. Once the high tide passes, water is pumped back into the gates, and the air is expelled. This lets the gates sink back onto the sea floor.
The cost of this unique project: $8 Billion.
You can see the whole system in action through an aesthetically animated image here.
So what went wrong?
For an Operational Technology (OT) security professional, the impact of this incident goes well beyond the headlines and operational complexities. For us, this is about the vulnerability of modern utilitarian systems that enable cities and municipalities to operate efficiently and deliver citizen services without interruption. Vulnerabilities in these critical systems can be exploited by attackers to create high-risk situations that threaten public safety and health (and potentially hold governments hostage).
The claim that hackers gained a significant level of control over the pumps governing Venice’s flood defenses highlights a more or less recurring failure in the protection of Industrial Control Systems (ICS). Unlike standard IT breaches, where data theft is often the goal, these attacks target the process control loop. The goal is to control either the system variables or parameters or to make it perform well outside its designed operational envelope.
How did they gain access?
Let's first look at how such scenarios often play out to understand how threat actors usually gain access to critical infrastructure. The primary vector is rarely a sophisticated multi-stage exploit injected into the network. Instead, it typically involves:
Unauthenticated Human-Machine Interfaces (HMIs): Many pump stations are known to utilize web-based HMIs for remote monitoring. If these are indexed by search engines and lack robust authentication, they become an open door.
Protocol-level vulnerabilities: Legacy protocols like Modbus or S7 were designed for reliability, not security. They lack native encryption, meaning anyone who gains network access can inject commands directly into the Programmable Logic Controllers (PLCs).
VNC and Remote Desktop Protocol (RDP) exposure: Attackers can use screen-sharing software that was left active after a maintenance session, allowing them to literally "take the wheel" of the control software.
It is possible that an exposed HMI was used in this attack.
However, it is important to distinguish between "access" and "control." Hacktivists often share screenshots of HMI panels to claim total control. While they may be able to toggle a single pump or change a parameter variable, the real danger lies in a cascading failure. By cycling pumps rapidly (a "hunting" condition), an attacker can cause mechanical fatigue or even electrical surges, rendering the hardware inoperable even after the digital breach is closed.
The intrusion chain
The Exposed Edge: The adversary discovered an internet-facing IP associated with the Venice hydraulic system, likely through automated scanning (Shodan/Censys).
Credential Stuffing: Leveraging known default passwords for common industrial gateways or leaked Ministry credentials.
HMI Manipulation: Once inside, the "Squad" did not trigger alarms. They observed the system during the high-tide season to understand the logic of the pneumatic valves.
The Deception Gap: During the Italian government's "Easter checks," the attackers stayed dormant or manipulated the data shown on the SCADA screens so that the "checks" returned a "safe" status.
Public Disclosure: To maximize embarrassment, they waited until after the city declared the system secure to post proof of their continued presence.
Mapping to the MITRE ATT&CK framework
Tactic | Technique ID | Name | Application to Incident |
Initial Access | T0822 | Internet-Accessible Device | Used to reach the hydraulic control interfaces directly. |
Persistence | T0889 | Modify Program | Potential modification of the PLC logic to survive system reboots/tests. |
Discovery | T0843 | Program Upload | Exfiltrating system layouts and valve configurations. |
Inhibit Response | T0831 | Manipulation of Control | The ability to disable floodgates or override manual pump starts. |
Impair Process | T0821 | Damage to Property | (Potential) Intended objective to flood Piazza San Marco. |
The geo-political backdrop
Such events aren't happening in a vacuum. Pro-Russia or anti-Western hacktivist groups have increasingly targeted European infrastructure (case in point, repeated attacks on Polish critical infrastructure). By hitting a landmark as iconic as San Marco, the attackers achieve a massive psychological impact that far outweighs the technical complexity of the hack.
As mentioned earlier, this incident exhibits clear indicators consistent with the involvement of a state-backed actor.
Why Venice or rather why Italy?
In recent years, Italy has recalibrated its relationship with China. It exited the Belt and Road Initiative and strengthened its investment screening rules under its ‘golden power’ mechanism. Italy has blocked or limited acquisitions in several strategic sectors such as semiconductors, robotics, and telecommunications. Such moves have attracted attention from the highest levels within the Chinese government, and such intrusions may be a strategic signalling (just like we have seen in the case of the attacks on Poland wherein, Russia was trying to score some geopolitical points).
It is possible that the attack was carried out by a Chinese group with extensive links to China's Ministry of State Security. The strategic signal being conveyed could be on the lines of:
How much does it take to flood Venice? $600
Chinese threat actors can breach European critical infrastructure
At Shieldworkz, we assess that China may soon undertake a diplomatic move that could be loosely linked to this incident. This move when interpreted correctly will expose the real motive behind this incident. The Chinese APT playbook emphasizes the use of covert signaling to shape the environment before revealing true intent.
The regulatory imperative: Moving beyond mere "good intentions"
In the current geopolitical climate wherein multiple conflicts are active, maintaining "baseline" security level is no longer legally or operationally sufficient. The NIS2 Directive in Europe has significantly raised the stakes for entities managing water and flood defense in addition to enhancing the bare minimal levels of critical infrastructure security by leaps and bounds.
Compliance is now tied to operational resilience and governance maturity. This means security must be "baked in" to the commissioning phase of any maritime or municipal project. If a pump station is being updated, the security of its remote telemetry is just about as vital as the horsepower of its engines.
The to-do list for OT security
To prevent your infrastructure from becoming a hacktivist trophy, follow this prioritized technical checklist:
Implement "Zero-Trust" for remote access: Remove all direct-to-PLC or direct-to-HMI internet connections. Use a secure Jump Server with Multi-Factor Authentication (MFA) as the only gateway to the OT environment.
Audit for default and\or leaked credentials: Conduct a "sweep" of all field devices. Ensure no sensors, gateways, or controllers are using factory-set usernames or passwords.
Disable unnecessary services: Turn off Telnet, HTTP (use HTTPS), and any discovery protocols on the PLCs that are not required for the immediate process.
Network micro-segmentation: Isolate the San Marco (or equivalent) control network from the broader municipal office network. Traffic between these zones should be strictly filtered by an industrial firewall capable of Deep Packet Inspection (DPI).
Enable system logging and monitoring: Ensure that every "Start/Stop" command sent to a pump is logged on a separate, immutable server. Unusual activity—like a pump being toggled at 3:00 AM—should trigger an immediate physical inspection.
Validate manual fallbacks: Periodically test the ability of staff to operate the flood gates or pumps in "Local Manual" mode. If the digital system is compromised, your team must be able to keep the city dry using physical overrides.
Conduct regular IEC 62443-based risk assessments: To locate and fix OT security gaps and to prevent such gaps from being exploited
Interested in assessing your HMI exposure or learning about your OT risk? Talk to our IEC 62443 experts through a free consultation.
Additional resources
Remediation guide to prevent such OT security incidents
Remediation guide for NIS2 security gaps
PLC security remediation playbook (as per the latest CISA guidance)
How to deploy IEC 62443 controls
Feel free to reach out if you have any questions.
Another update from the Telegram channel belonging to the Infrastructure Destruction Squad.
Recibe semanalmente
Recursos y Noticias
También te puede interesar
Handala’s next gambit: From "hack-and-leak" to "cognitive siege"
Prayukth K V
East-West Traffic Monitoring in OT Meeting NERC CIP-015 Requirements
Team Shieldworkz
Top 15 OT Security Threats in Industrial Manufacturing sector
Team Shieldworkz
Everything you need to know about the Hasbro breach
Prayukth K V
Securing the Industrial Supply Chain: Mandatory Risk Assessments Under the NIS2 Directive
Team Shieldworkz
Fortalecimiento de la postura de seguridad durante escaladas de amenazas mediante IEC 62443
Equipo Shieldworkz
