Threat actors in January attempted to poison the water at a US facility

Threat actors in January attempted to poison the water at a US facility, a circumstance that highlights the importance of cybersecurity for water and wastewater utilities.

The news that a threat actor in January attempted to poison the water at a facility in the U.S. made the headlines and highlights the importance of protecting critical infrastructure from hackers.

According to a report published by NBC News, threat actors attempted to compromise an unnamed water treatment plant that provides services to San Francisco Bay Area, the attack took place on January 15.

NBC became aware of the attack attempt from a private report created by the Northern California Regional Intelligence Center in February. The actors gained access to the systems at the facility by using the TeamViewer account of a former employee to gain access to systems and attempted to manipulate software used for treating drinking water.

“On Jan. 15, a hacker tried to poison a water treatment plant that served parts of the San Francisco Bay Area. It didn’t seem hard.” reads the post published by NBC. “The hacker had the username and password for a former employee’s TeamViewer account, a popular program that lets users remotely control their computers, according to a private report compiled by the Northern California Regional Intelligence Center in February and seen by NBC News.”

This is the first time that this specific incident has been reported by authorities, but unfortunately the number of similar attacks is growing.

In February, Pinellas Sheriff revealed that attackers tried to raise levels of sodium hydroxide, by a factor of more than 100, in the Oldsmar’s water supply. The scenario described by Pinellas Sheriff Bob Gualtieri is disconcerting, an attacker attempted to raise levels of sodium hydroxide, also known as lye, by a factor of more than 100, in Oldsmar’s water supply.

In March, the United States Department of Justice charged Wyatt A. Travnichek (22), of Ellsworth County, Kansas, for accessing and tampering with the computer system of the Ellsworth County Rural Water District.

Travnichek accessed the computer system of the Public Water System on or about March 27, 2019, without authorization.

Travnichek worked for the Ellsworth County Rural Water District for roughly one year, he was remote monitoring the plan by accessing the Post Rock computer system.

Once gained access to the public water system, the man allegedly performed malicious actions that halted the processes at the facility that impacted the cleaning and disinfecting procedures.

Back to the incident reported by NBC News, the news outlet revealed that the attack was discovered the day after the initial compromise, and in response to the attack the IT staff at the facility changed its passwords and reinstalled the software that was removed by the hackers. The good news is that the failure caused by the intrusion did not cause any problems to the citizens.

“No failures were reported as a result of this incident, and no individuals in the city reported illness from water-related failures,” read the incident report. 

U.S. water infrastructure, like other critical infrastructure in the US, lacks built-in security, according to the NbcNews, a widespread water hack would be very difficult to mitigate. The experts claim that there isn’t a centralized approach in the mitigation of cyber threats, each facility runs independently and doesn’s share any information with peers.

“It’s really difficult to apply some kind of uniform cyber hygiene assessment, given the disparate size and capacity and technical capacity of all the water utilities,” Mike Keegan, an analyst at the National Rural Water Association, told to NbcNews. “You don’t really have a good assessment of what’s going on.”

The experts pointed out that drinking water facilities that serve rural areas don’t have a dedicated cybersecurity team and are particularly exposed to cyber-attacks. 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, US facility)

[adrotate banner=”5″]

[adrotate banner=”13″]