A cyber attacker gained access to the computer network of a Florida city’s water treatment system and tried to poison it with lye using a variety of methods.
Officials from Oldsmar made the information about the assault public on Monday, revealing that the attempt was thwarted by an operator at the plant only minutes after it was launched.
The intruder gained access to the city’s water system through software that was being used by employees for remote network access. After gaining access, the intruder increased the levels of sodium hydroxide in the system from 100 parts per million to 11,000 parts per million, according to the police report.
When it comes to liquid drain cleaners, sodium hydroxide (also known as lye) is the primary component. It is used in modest quantities in the water system to reduce the acidity of the city’s drinking water, which is a good thing.
The Oldsmar plant delivers water to around 15,000 households and businesses in the area.
During a press conference, Pinellas County Sheriff Bob Gualtieri said that the spike was observed and that the level was immediately reduced. “As a result, there was never a major detrimental impact on the water being treated,” Gualtieri said.
“Most importantly, the general population was never in any danger,” he said.
Oldsmar Mayor Eric Seidel went on to say that the good news is that the monitoring mechanisms in place by the city’s water department are working properly. According to him, even if they hadn’t spotted them, “there are redundancies in the system that have alarms in them that would have caught the change in PH level in any case.”
Investigations are underway into this event by the sheriff’s office and the FBI as well as the Secret Service.
A popular remote control program called TeamViewer was utilized by the threat actor in the attack, which was being used by the water administration team to control the chemical mix of water, according to Chris Risley, the CEO of Bastille, a provider of protection from mobile and wireless threats in San Francisco.
It is possible that the attacker gained access to TeamViewer via phishing or password hacking, and then seized control of the mouse to restore the chemical balance, he explained to Dailion.
According to Rick Moy, vice president of sales and marketing at Tempered Networks, an identity-based micro-segmentation supplier in Seattle, “it boils down to the premise that people believe that as long as they have a password on anything, they can protect it.”
“That is not correct,” he said to Dailion. “Passwords may be guessed by others. There are hacker tools available to do this.”
Despite the fact that the identity of those who carried out the assault is unknown, their method of operation indicates something about them.
According to Bryson Bort, CEO of Scythe, an Arlington, Virginia-based computer and network security business, “we may safely conclude that this was an amateur.”
This is evident in their timing — during the day when they could be seen — as well as in their usage of the instrument, which did not obscure what they were doing, according to Dailion.
Nevertheless, Moy acknowledged that a more skilled hacker would have penetrated the system in a more stealthy manner. “It was a rather low-tech assault,” he went on to say.
According to Saryu Nayyar, CEO of Gurucul, a threat intelligence company based in El Segundo, Calif., the fact that the intruder took control of the operator’s workstation while the operator was sitting in front of it suggests that the threat actor wanted to be caught in the act of sabotaging the chemical mix of the water.
In an interview with Dailion, she said that “there is a very tiny likelihood that the attacker did it when and how they did it as a wake-up call to the operator.”
So-called White Hat hackers have been known to use exploits to emphasize a point when someone has disregarded their repeated warnings about a vulnerability, according to the expert.
“That would be the very improbable ‘best-case scenario’ in this situation,” she said.
The amount of time the intruder spent on the system – once in the morning and once in the afternoon, both for very brief amounts of time — may also contribute to their overall profile.
“The attacker was well aware of what they were pursuing,” said Israel Barak, chief information security officer of Cybereason, a Boston-based endpoint security and response business.
“If that’s the case, it shows that the assault was carried out by someone who was well-versed in the system,” he told Dailion in an interview. According to the report, “They might have even possessed the password for the remote supervisory system.”
Risley claimed that since the assault lacked complexity, it is improbable that a nation-state was responsible for it. “It’s possible that it came from another country,” he added, “but it doesn’t demonstrate the depth, accuracy, or endurance of a state-sponsored assault.”
“To be honest, a nation-state strike may have been successful,” he said.
When it comes to industrial control system assaults, there’s a common misperception about what the enemy profile looks like, according to Barak, who elaborated.
“It’s normal for people to believe that these assaults are the work of a nation-state,” he added. “While these facilities are interesting to nation-state entities, they are also attacked on a regular basis by a variety of other cybercrime threat actors,” says the report’s author.
“A lot of the time, they’re targeted because they’re low-hanging fruit,” he said more fully. The threat actor will discover a remote supervisory interface, the password for which may be trivial to guess, and they will get access to the system with the goal of making a fast buck through a ransomware assault.
More Attacks Coming
In the case of Mayor Seidel, there seems to have been a legitimate cause to raise the alarm about criminals attacking municipal infrastructure.
As Risley pointed out, “we may anticipate more of these assaults.” Municipalities, on the other hand, are not very good at keeping up with the newest security updates on their computer systems. There are dozens, if not hundreds, of publicly disclosed vulnerabilities.” As a result, there are many possibilities for hackers to carry out these types of assaults.”
As Krishnan Subramanian, a security researcher at Menlo Security, a cybersecurity startup based in Mountain View, Calif., said, “Given the pandemic moment we are in, remote tools and software are becoming pervasive for all sorts of enterprises and verticals.”
As he explained to Dailion, “this might open the door to greater opportunities for attackers to take advantage of flaws in such technologies.”
Chlo Messdaghi, vice president of strategy at Point3 Security, a Baltimore-based supplier of training and analytic tools to the security sector, also cautioned that towns should brace themselves for an increase in cyberattacks in the future.
As she said to Dailion, “Attackers are aware that employees aren’t talking with their colleagues and IT personnel in the same way they used to, and they are aware that many people aren’t even physically there.”
Consider the following scenario: “A vehicle thief is roaming around a dark parking lot checking car doors,” she said. “There is a high likelihood that he will come upon an unlocked door.”