Attack on a water treatment plant highlights vulnerabilities in infrastructure

Randy Pargman

Randy Pargman

Randy Pargman is the Vice President of Threat Hunting and Counterintelligence at Binary Defense. In this role, he leads the teams responsible for advanced analysis of malware, development of technology to detect threat actor activity, threat intelligence research of criminal forums, and monitoring of Darknet, Clearnet and Social Media platforms for threat indicators. Randy previously worked for the FBI, where he served for 15 years, most recently as a Senior Computer Scientist on the Cyber Task Force in Seattle. Randy is now frequently covered by national media outlets for his cybersecurity expertise.
Share on facebook
Share on twitter
Share on linkedin

This week, the news broke that hackers attempted to poison the water supply in Oldsmar, Florida. Hackers leveraged a commercially-available remote access software called Team Viewer, that enabled them to access the computer that controlled the levels of additives in the water. Thankfully, the attack was thwarted by safeguards that were in place to prevent such a catastrophic attack.

It can’t be emphasized enough that this would have been a devastating event if the hackers had succeeded.

So how did this happen, and could it happen again?

How did the attack on the water treatment plant happen?

This attack is not surprising to anyone who works in the computer security sector. The Department of Homeland Security has been issuing warnings for years about the threat to water treatment plants, electric generation and distribution utilities and other critical infrastructure.

According to SC Magazine, providers of critical services such as water, electricity and more have faced “technology obsolescence” from outdated equipment and software. Lack of adequate staffing and budget also contributes to gaps in security at these companies, many of which are small regional businesses.

Even before the pandemic, operators of critical infrastructure needed remote access to their systems in order to respond quickly from home if they needed to make emergency adjustments. The criminal(s) behind the attack could have obtained access through any number of means, some of which are tactics hackers have been using for years.

Team Viewer has several options for remote access. The simplest just requires a password that can be shared among several people. The suspect who logged on to the Team Viewer account at the water treatment plant might have guessed the password if it was a simple, easy-to-remember phrase shared among employees. Another possibility is that the criminal stole it from an employee by tricking them into typing their password into a fake login screen via a phishing email. Or, the criminal could have hacked an employee’s email account, finding a message containing the password.

An insider threat is another possibility—the attacker could be a disgruntled former employee or contractor who remembered the Team Viewer password.

These are all possibilities that the FBI and Secret Service investigators will consider as they track down all available leads to find the person responsible.

Tracking the criminal behind the attack

The Team Viewer servers will likely have a record of the IP address and other details used by the person who logged in. Even though the Team Viewer company is based outside the United States, mutual legal assistance treaties allow law enforcement investigators in the US to request official records from companies overseas. Following the digital trail of evidence online is somewhat like following footprints in the dirt—investigators have to act quickly to trace the movements of the suspect before it disappears. Some companies only keep records about remote logins or other events for a few days or a month. In this case, the local officials brought in law enforcement right away, so they have the best chance of preserving evidence and possibly finding the person responsible.

Companies using Team Viewer should consider implementing two-factor authentication, requiring a one-time code generated on a smartphone in addition to the password. This is a much safer option and can protect the account even if a password is stolen. There are more secure ways to protect remote access, but unfortunately many water treatment plants and public utilities allow access to their critical control systems from the Internet without any password required at all, or with a simple password that is too easy to guess.

Adding a managed endpoint monitoring and detection solution is an affordable option for smaller companies, and with an event like this, could help save lives. As the Pinellas County Sheriff said, this should serve as a wake-up call to everyone who operates critical infrastructure.

More Articles