Threat actors hacked a server of a Queensland water supplier and remained undetected for 9 months

Threat actors compromised a server managing customer data for a Queensland water supplier and remained undetected for nine months.

A served used by the SunWater statutory Queensland (Australia) Government-owned water supplier was compromised and threat actors remained undetected for nine longs, the annual financial audit report published by the Queensland Audit Office revealed.

The water supplier provides bulk water to over 5,000 customers and water consultancy services to several government clients in the Wide Bay–Burnett and North West regions of Queensland. SunWater manages 19 major dams and 1,600 miles long pipelines.

The hacked server was used by the company to manage customer information for the Queensland water supplier.

The security breach took place between August 2020 and May 2021, the intrusion has been attributed to a financially motivated attacker that deployed a custom implant to redirect visitor traffic to an online video platform.

It seems that attackers did not exfiltrate sensitive data from the compromised server.

“A cyber breach (between August 2020 and May 2021) resulting in unauthorised access to an entity’s web server was identified during the year. Threat actors (those conducting malicious activities against entities) targeted an older and more vulnerable version of the system. The web server that stores customer information contained suspicious files that increased visitor traffic to an online video platform. This did not result in lost customer or financial information.” reads the report.

The compromised server was running an old and flawed version of the software.

In response to the intrusion, the organization implemented a number of measures to address the security breach, including updating software, using stronger password practices, and implementing network traffic monitoring.

The report also provides “Further Action Needs To Be Taken,” such as the implementation of security monitoring
systems to detect and report on potential security threats and events, the adoption of multi-factor authentication on all external systems available to the public, the implementation of strong password practices in line with the state’s
recommendations, the implementation of mandatory cyber security awareness training, the implementation of of policies and processes to identify critical security vulnerabilities.

The report includes the results of the audit conducted on six entities in Queensland’s water sector: Seqwater,
Sunwater, Urban Utilities, Unitywater, Gladstone Area Water Board, and Mount Isa Water Board. The auditors found the lack of internal controls in three of the six water authorities audited.

“We continue to identify several control deficiencies relating to information systems. Cyber attacks continue to be a significant risk, with ongoing changes in entities’ working environments due to COVID-19.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, water supplier)

[adrotate banner=”5″]

[adrotate banner=”13″]