In a late December 2025 public statement first reported by The Park Record, the Snyderville Basin Water Reclamation District said cybersecurity monitoring alerted staff that the district’s ArcGIS server had been compromised and files were being encrypted. The district said its defenses isolated the affected system and it recovered the encrypted files.
District officials said the incident did not affect ongoing operations. They said the district reported it to the FBI and the Cybersecurity and Infrastructure Security Agency.
The district said it is working with the Utah Division of Water Quality and outside providers including EPA Cyber Resources and Utah Cyber Security. It said it patched ArcGIS-related issues, expanded monitoring to a 24/7 cybersecurity center and planned additional penetration testing with federal authorities.
The district described the incident as an international cyberattack and said it was “most likely” from China, citing what it said was federal reporting about the China-linked group known as Flax Typhoon.
Chip in once
If this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.
Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone.
That description leaves key questions unanswered. In the same statement, officials said the intruder’s aim was “most likely” to encrypt data and demand ransom, or to plant “sleepers” for later access.
Public reporting on Flax Typhoon has generally emphasized stealth and persistence rather than encryption-driven extortion. Microsoft’s 2023 report described the group as a China-based nation-state actor focused on long-term access using built-in tools, credential access and web shells.
U.S. Justice Department and FBI statements around the 2024 disruption of infrastructure linked to Flax Typhoon similarly described the group as using compromised devices to support intrusions and the theft of confidential data. Those accounts did not characterize Flax Typhoon as an encryption-for-ransom actor.
Encryption and ransom demands are more commonly associated with ransomware incidents. In a separate 2021 Summit County case, Mountain Regional Water District told The Park Record that attackers encrypted some systems but water delivery continued.
ArcGIS is widely used by utilities and governments for mapping and asset management. Esri issued an ArcGIS Server security update in December 2025 and urged customers to apply patches promptly.
Recent water-sector cyber events show how impacts can hit customer-facing systems and monitoring tools even when treatment continues. American Water in 2024 took portions of its network offline after detecting unauthorized activity, disrupting billing and customer services and rescheduling appointments during restoration.
In 2025, Michigan State Police and the Great Lakes Water Authority investigated a potential intrusion attempt involving a monitoring and reporting system at Detroit’s Northeast Water Treatment Plant. The authority said water quality was not compromised and the system was not connected to treatment processes.
Arkansas City, Kansas in 2024 said it switched its water treatment facility to manual operations after a cybersecurity incident, reporting no service disruption and saying drinking water remained safe.
Snyderville Basin Water Reclamation District provides wastewater collection and reclamation services for the greater Park City area in Summit County. Local profiles say it serves about 13,000 homes and businesses across roughly 102 square miles.
The district did not respond to emailed questions seeking additional detail, including when the intrusion occurred and whether any ransom demand or data access was detected.
