In a Dec. 17, 2025, interview on KPCW, the Snyderville Basin Water Reclamation District, which serves the Park City area of Summit County, Utah, said it recently stopped what it described as an international cyberattack and recovered encrypted data.
In a Dec. 26, 2025, written statement later reported by The Park Record, the district said cybersecurity monitoring flagged that its ArcGIS server had been compromised and files were being encrypted. The district said it isolated the affected system and recovered the encrypted files.
The district said it is working with the Utah Division of Water Quality and outside providers including EPA Cyber Resources and Utah Cyber Security. It said it patched ArcGIS-related issues, expanded monitoring to a 24/7 cybersecurity center and planned additional penetration testing with federal authorities.
The district described the incident as an international cyberattack and said it was “most likely” from China, citing what it said was federal reporting about the China-linked group known as Flax Typhoon.
The district’s public description combines elements that do not neatly align. File encryption is often associated with financially motivated, ransomware-style incidents, while public reporting on Flax Typhoon more commonly emphasizes stealthy access and persistence. Based on what has been publicly released, the exact nature of the incident and the basis for the district’s attribution remain unclear.
Chip in once
If this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.
Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone.
One plausible explanation is attribution by association. Because ArcGIS environments have been publicly discussed in connection with Flax Typhoon activity, officials may have inferred that an ArcGIS-related intrusion pointed to that actor, even if the observed behavior was consistent with a ransomware-style event.
Another plausible explanation is multiple actors. The same exposed system or vulnerability could have been accessed by more than one intruder, or a second, more disruptive actor could have hit an environment that was already compromised. In some real-world cases, noisy activity like encryption has drawn attention to a broader compromise, but that remains speculative here without additional technical detail.
That description leaves key questions unanswered. In the same statement, officials said the intruder’s aim was “most likely” to encrypt data and demand ransom, or to plant “sleepers” for later access.
Public reporting on Flax Typhoon has generally emphasized stealth and persistence rather than encryption-driven extortion. Microsoft’s 2023 report described the group as a China-based nation-state actor focused on long-term access using built-in tools, credential access and web shells.
U.S. Justice Department and FBI statements around the 2024 disruption of infrastructure linked to Flax Typhoon similarly described the group as using compromised devices to support intrusions and the theft of confidential data. Those accounts did not characterize Flax Typhoon as an encryption-for-ransom actor.
Encryption and ransom demands are more commonly associated with ransomware incidents. In a separate 2021 Summit County case, Mountain Regional Water District told The Park Record that attackers encrypted some systems but water delivery continued.
ArcGIS is widely used by utilities and governments for mapping and asset management. Esri issued an ArcGIS Server security update in December 2025 and urged customers to apply patches promptly.
Recent water-sector cyber events show how impacts can hit customer-facing systems and monitoring tools even when treatment continues. American Water in 2024 took portions of its network offline after detecting unauthorized activity, disrupting billing and customer services and rescheduling appointments during restoration.
In 2025, Michigan State Police and the Great Lakes Water Authority investigated a potential intrusion attempt involving a monitoring and reporting system at Detroit’s Northeast Water Treatment Plant. The authority said water quality was not compromised and the system was not connected to treatment processes.
Arkansas City, Kansas in 2024 said it switched its water treatment facility to manual operations after a cybersecurity incident, reporting no service disruption and saying drinking water remained safe.
Snyderville Basin Water Reclamation District provides wastewater collection and reclamation services for the greater Park City area in Summit County. Local profiles say it serves about 13,000 homes and businesses across roughly 102 square miles.
The district did not respond to emailed questions seeking additional detail, including when the intrusion occurred and whether any ransom demand or data access was detected.
