Threat Watch

Hackers Undetected on Queensland Water Supplier Server for 9 Months

Australian government-owned water supplier, SunWater, has suffered from a security breach. SunWater operates 19 major dams, 80 pumping stations, and 1,600 miles long pipelines in Australia. The threat actors were able to breach the organization’s network and remain on the server for 9 months undetected between August of 2020 and May of 2021. Although the server they were able to access included customer information, it looks like the threat actors were not interested in the sensitive data as there is no evidence any data was exfiltrated. Instead, malware was placed on the server that drove more traffic to another site, likely ran by the hackers. The vulnerability has now been fixed, but this breach highlights a larger issue regarding server vulnerabilities and a lack of proper account security practices in critical infrastructure. Auditors were prompted to check other water companies, and after examining six, it was found that three of them had vulnerabilities or other issues that needed attention.


Auditors have provided the water companies with the following recommendations:

 Implement security threat detection and reporting systems
 Enable multi-factor authentication on all external systems available to the public
 Set a minimum password length of eight characters
 Organize security awareness training
 Implement critical security vulnerabilities identification processes

Water suppliers are targeted more often than the public realize. It is time to stop the spread of these attacks and make a conscious effort to maintain good security practices.