Three more ransomware attacks hit Water and Wastewater systems in 2021

A joint cybersecurity advisory published by US agencies revealed that three ransomware attacks on wastewater systems this year.

A joint cybersecurity advisory published today by the FBI, NSA, CISA, and the EPA revealed three more attacks launched by Ransomware gangs against US water and wastewater treatment facilities (WWS) this year.

This is the first time that these attacks are publicly disclosed, they took place in March, July, and August respectively. The three facilities hit by ransomware operators are located in the states of Nevada, Maine, and California. In all the attacks the ransomware encrypting files on the infected systems and in one of the security incidents threat actors compromised a system used to control the SCADA industrial equipment.

The advisory reports common tactics, techniques, and procedures (TTPs) used by threat actors to compromise IT and OT networks of WWS facilities, they include:

• Spearphishing campaign aimed at the personnel to deliver malicious payloads such as ransomware and RAT;
• Exploitation of services and applications exposed online that enable remote access to WWS networks (i.e. RDP accesses);
• Exploitation of vulnerabilities affecting control systems running vulnerable firmware versions.

The three new incidents included in the advisory are:

• In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
• In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.
• In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).

Other known attacks against Water and Wastewater systems that took place in the pat were:

• In September 2020, personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system.
• In March 2019, a former employee at Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer [see media coverage].

“This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities. Note: although cyber threats across critical infrastructure sectors are increasing, this advisory does not intend to indicate greater targeting of the WWS Sector versus others.” concludes the advisory.

“The FBI, CISA, EPA, and NSA recommend WWS facilities—including DoD water treatment facilities in the United States and abroad—use a risk-informed analysis to determine the applicability of a range of technical and non-technical mitigations to prevent, detect, and respond to cyber threats.”

The security advisory doesn’t include other security incidents that hit water treatment facilities are:

• threat actors attempted to compromise an unnamed water treatment plant that provides services to San Francisco Bay Area, the attack took place on January 15.
• in February, Pinellas Sheriff revealed that attackers tried to raise levels of sodium hydroxide, by a factor of more than 100, in the Oldsmar’s water supply.

“CISA, FBI, EPA, and NSA strongly urge organizations to implement the measures described in the Recommended Mitigations section of this advisory,” the four agencies said.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Water and Wastewater systems)

[adrotate banner=”5″]

[adrotate banner=”13″]