An unknown threat actor remotely took control of a critical control system at the water treatment facility in Oldsmar, Florida on February 6th. The facility operator noticed the attacker take control of the mouse on the computer and start making changes, including changes to the amount of Sodium Hydroxide that was put into water. At low levels, Sodium Hydroxide is not dangerous, but when consumed in large amounts it could become poisonous. The attacker changed the level from 100 parts per million to 11,100 parts per million. Because the facility operator recognized the attack quickly, they managed to reverse the changes immediately and cut off remote access. The attacker remotely gained access to the computer using the TeamViewer software, which is used by other facility workers to remotely troubleshoot problems within the system. The city mayor stated that even if the facility manager would not have recognized the changes on the computer system, the facility has redundant safety controls in place that sound alarms when dangerous levels of chemicals are identified in the water. The county sheriff was notified immediately, and now the FBI and Secret Service are investigating the attack.
Analyst Notes
According to researchers at Mandiant, the attack was not sophisticated. They stated that within the past year, amateur attacks on industrial control systems have been on the rise. Many attacks on control systems happen as a result of outdated systems, unpatched vulnerabilities, or compromised accounts. It is important for every organization, but especially industrial control systems, to secure remote access systems and make sure all of their software is patched and up to date. Companies should also have monitoring in place to discover stolen credentials being leaked online such as Binary Defense’s Counterintelligence service, which utilizes different ways to search for leaked credentials and alert the organization quickly to change the passwords of those accounts. It is also important to have skilled security analysts monitoring systems for unusual login activity and potentially dangerous behaviors.
More can be read here: https://www.bleepingcomputer.com/news/security/hackers-tried-poisoning-town-after-breaching-its-water-facility/
