A cyber intruder broke into the computer network of the water treatment system of a Florida city and attempted to poison it with lye.
News of the attack was made public Monday by officials of Oldsmar, who revealed the attack was foiled by an operator at the facility within minutes of its launch.
After gaining access to the city’s water system through software used by employees for remote network access, the intruder increased the levels of sodium hydroxide in the system from 100 parts per million to 11,000 parts per million.
Sodium hydroxide, commonly known as lye, is the main ingredient in liquid drain cleaners. In the water system, it’s used in small amounts to control the acidity of the city’s drinking water.
The Oldsmar plant provides water to businesses and about 15,000 residents.
“Because the operator noticed the increase and lowered it right away, at no time was there a significant adverse effect on the water being treated,” Pinellas County Sheriff Bob Gualtieri said at a news conference.
“Importantly, the public was never in danger,” he observed.
Oldsmar Mayor Eric Seidel added that the good news is that the monitoring protocols the city’s water department have in place work. “Even had they not caught them, there’s redundancies that have alarms in the system that would have caught the change in PH level, anyhow,” he asserted.
“The important thing is to put everybody on notice,” he continued. “And I think that’s really the purpose of today is to make sure that everyone realizes these kinds of bad actors are out there. It’s happening. So take a really hard look at what you have in place.”
The incident is currently being investigated by the sheriff’s office, FBI and Secret Service.
In staging the attack, the threat actor used TeamViewer, a popular remote control program that was being used by the water administration team to control the chemical mix of the water, explained Chris Risley, CEO of Bastille, in San Francisco, a provider of protection from mobile and wireless threats.
“The attacker compromised TeamViewer, perhaps by hacking the passwords, and took over the mouse to reset the chemical balance,” he told TechNewsWorld.
“It comes down to the notion that people think that as long as they have a password on something, they can secure it,” observed Rick Moy, vice president of sales and marketing at Tempered Networks, an identity-based micro-segmentation provider in Seattle.
“That’s not true,” he told TechNewsWorld. “People can guess passwords. There are hacker tools out there to do that.”
Although details about who mounted the attack are unknown, their modus operandi reveals something about them.
“We can reasonably speculate this was an amateur,” noted Bryson Bort, CEO of Scythe, a computer and network security company in Arlington, Va.
“It shows in their timing — during the day when they could be seen — and the use of the tool without obfuscating what they were doing,” he told TechNewsWorld.
Moy agreed that an experienced hacker would have entered the system in a more clandestine manner. “It was a pretty low-tech attack,” he added.
Since the intruder grabbed control of the operator’s workstation while the operator was sitting in front of it, it’s possible the threat actor wanted to be caught in the act of sabotaging the chemical mix of the water, maintained Saryu Nayyar, CEO of Gurucul, a threat intelligence company in El Segundo, Calif.
“There is a very slim possibility that the attacker did it when and how they did as a wakeup call to the operator,” she told TechNewsWorld.
“So-called White Hat Hackers have been known to execute an exploit to prove a point when someone has ignored their repeated warnings about a vulnerability,” she explained.
“That would be the very unlikely ‘best case’ scenario here,” she added.
The length of time the intruder was on the system — once in the morning and again in the afternoon, both for very short periods of time — may also add something to their profile.
“The attacker knew what they were after,” said Israel Barak, CISO of Cybereason,an endpoint security and response company in Boston.
“If that’s the case, it suggests that the attack was done by someone who knew the system well,” he told TechNewsWorld. “They may have even had the password for the remote supervisory system.”
Since the attack lacked sophistication, it’s unlikely a nation-state was behind it, Risley asserted. “It might have been from overseas,” he said, “but it doesn’t show the depth, precision or persistence of a nation-state attack.”
“Honestly, a nation-state attack might have worked,” he added.
When we think about industrial control systems attacks, there’s a misconception about what the adversary profile is, Barak explained.
“It’s common to think these attacks are nation-state operations,” he said. “While these facilities are attractive to nation-state groups, they’re also targeted on an ongoing basis by a lot of different cybercrime threat actors.”
“A lot of times they’re targeted because they’re low hanging fruit.,” he continued. “In a broad network scan, a threat actor will find a remote supervisory interface, the password might be easy to guess, and they’ll get into the system looking for a quick payday with a ransomware attack.”
More Attacks Coming
Mayor Seidel appears to have had a good reason to raise the alarm about bad actors targeting municipal infrastructure.
“We can expect more of these attacks,” Risley said. “There are dozens, or hundreds, of published vulnerabilities and municipalities are not great at keeping up with the latest security patches on their computer equipment. So, there are many opportunities for hackers to execute these kinds of attacks.”
“Given the pandemic time we are in, remote tools and software are becoming ubiquitous for all types of industries and verticals,” added Krishnan Subramanian, a security researcher at Menlo Security, a cybersecurity company in Mountain View, Calif.
“This could mean more room for attackers to take advantage of weaknesses in such tools,” he told TechNewsWorld.
Chlo Messdaghi, vice president of strategy at Point3 Security, a provider of training and analytic tools to the security industry in Baltimore also warned that municipalities should expect more attacks.
“Attackers know that people aren’t communicating with their colleagues and IT staff like they used to, and they know many people aren’t even physically on site,” she told TechNewsWorld.
“Picture a thief walking around a dark parking lot checking car doors,” she said. “The chances he comes across an unlocked door are good.”