Oldsmar water hack came after city computer visited compromised website

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

OLDSMAR, Fla. — An Oldsmar city computer reportedly visited a website hosting malicious code that targeted water utilities in the hours leading up to the city’s water treatment plan being hacked, a new report from the security firm Dragos said.

The Oldsmar water hack saw someone try to poison the water supply with lye, but it was discovered before any damage could be done. While the website ultimately didn’t play a role in the hack of the water supply system in Oldsmar, Dragos said the overall incident shined a light on IT security in the infrastructure in the United States.

The report, released Tuesday, found the website hosting the code was a Florida water utility contractor site. Dragos labeled the attack as a “watering hole attack.” According to the Computer Security Resource Center, a watering hole attack features an attacker “compromising a site likely to be visited by a particular group, rather than attacking the target group directly.”

In the case of the Oldsmar attack, Dragos found damaging code “inserted into the footer of a WordPress-based site associated with a Florida water infrastructure constructions company.” Dragos speculated the code was inserted through vulnerable WordPress plugins. Once the code was inserted into the legitimate site, the attackers began collecting information.

According to the Dragos report, the hack of the site started on December 20, 2020, and was on there until February 16, 2021. While the malicious code was live, the site interacted with “computers from municipal water utility customers, state and local government agencies, various water industry-related private companies, and normal internet bot and website crawler traffic.” Dragos said that over “1,000 end-user computers were profiled by the code” with most being in the U.S. and in the state of Florida.

For the Oldsmar attack, Dragos found a computer on a network belonging to the city went to the infected site at 9:49 a.m. on February 5, 2021. Dragos said the same network from the city was where an unknown actor, likely separate from the criminals who put the malicious code on the website, “reportedly compromised a water treatment control plant computer on the…