Cyber Threat Actors Were Reported to Have Breached a Water Treatment Plant in a Horrendous Attempt to Harm Water Supply
The unthinkable almost happened this month.
Cyberattackers were reported to have targeted and accessed the information technology system responsible for controlling the water treatment facility in Oldsmar, Florida.
Their goal was reported to have been to make the town’s water supply undrinkable, or perhaps even worse. The potential harm of Oldsmar, Florida citizens might have occurred due to the cyberattackers manipulating the sodium hydroxide levels in the water supply. Sodium hydroxide, also known as lye, is the primary ingredient in drain cleaners. Used carefully by water treatment plant staff, it helps to control the acidity of the water and assists in processes to remove heavy metals. Misused and ingested in sufficient quantity, it becomes a poison.
Due in part to the plant operations team’s apparent vigilance and competence, the actual risk of poisoning the water supply and the town’s residents remained low. Per Sheriff Bob Gualtieri of Pinellas County was reported to note that, “Even if the plant operators had not quickly reversed the increased amount of sodium hydroxide, it would have taken between 24 to 36 hours for that water to hit the water supply system, and there are redundancies in place where the water had been checked before it was released.”
The operator at the plant detected the intrusion on Friday, Feb 5, 2021. The plant operator used team software which enabled shared viewing and noticed his mouse moving independently of his actions. Initially, this was thought to be normal behavior by supervisors and team members. However, after some time, it appeared that the alleged attacker was perhaps performing reconnaissance of the plant’s systems by accessing and monitoring many of the plant’s control systems. The exact anatomy of the attack is still unclear. It appears that the alleged threat actors may have used stolen credentials to gain access to various systems.
Finally, the alleged attacker was reported to have started to modify the control levels for the sodium hydroxide levels. At this point, the plant operator reset the controls, took steps to alert the entire plant team, and then escalated the investigation immediately to the Pinellas County Sheriff’s Office, which escalated the attack to the FBI and the U.S. Secret Service.
According to Austin Berglas, for head of cyber for the FBI’s New York office and currently the global head of professional services at the cybersecurity company BlueVoyant was reported to have said, “….this was probably stolen credentials …. If that is going to be the norm for an organization to be so susceptible to attack that someone (was able) to take control and add a poisonous chemical into a water supply, that is a problem.”¹
Most attacks rely on DNS in the kill chain. Threat actors seek to penetrate networks with malware that must reach back to command and control. Alternatively, threat actors may have stolen credentials, but in turn, are accessing resources from IP addresses not regularly used by authenticated users. In many cases, these malicious domains and IP addresses are known and previously identified by threat intelligence. In many other cases they are not.
DNS is frequently used for malware infiltration and data exfiltration because it is ubiquitous in networks , and current security solutions are not adequately designed to protect it. Security technologies such as next-gen firewalls, IPS, and gateways generally do not inspect DNS for detecting malicious communications and are unable to prevent specific attacks such as DNS data exfiltration . Most important, they are not able to detect the subtleties of newly created malicious addresses and domains.
With Infoblox BloxOne Threat Defense, State and Local Government teams can use DNS to get visibility into malicious activity, and detect and defeat cyberattackers early in the kill chain of events.