Tag Archive for: Water

Oldsmar water hack came after city computer visited compromised website

/in


OLDSMAR, Fla. — An Oldsmar city computer reportedly visited a website hosting malicious code that targeted water utilities in the hours leading up to the city’s water treatment plan being hacked, a new report from the security firm Dragos said.

The Oldsmar water hack saw someone try to poison the water supply with lye, but it was discovered before any damage could be done. While the website ultimately didn’t play a role in the hack of the water supply system in Oldsmar, Dragos said the overall incident shined a light on IT security in the infrastructure in the United States.

The report, released Tuesday, found the website hosting the code was a Florida water utility contractor site. Dragos labeled the attack as a “watering hole attack.” According to the Computer Security Resource Center, a watering hole attack features an attacker “compromising a site likely to be visited by a particular group, rather than attacking the target group directly.”

In the case of the Oldsmar attack, Dragos found damaging code “inserted into the footer of a WordPress-based site associated with a Florida water infrastructure constructions company.” Dragos speculated the code was inserted through vulnerable WordPress plugins. Once the code was inserted into the legitimate site, the attackers began collecting information.

According to the Dragos report, the hack of the site started on December 20, 2020, and was on there until February 16, 2021. While the malicious code was live, the site interacted with “computers from municipal water utility customers, state and local government agencies, various water industry-related private companies, and normal internet bot and website crawler traffic.” Dragos said that over “1,000 end-user computers were profiled by the code” with most being in the U.S. and in the state of Florida.

For the Oldsmar attack, Dragos found a computer on a network belonging to the city went to the infected site at 9:49 a.m. on February 5, 2021. Dragos said the same network from the city was where an unknown actor, likely separate from the criminals who put the malicious code on the website, “reportedly compromised a water treatment control plant computer on the…

Source…

Lessons Local Utilities Can Learn from the Oldsmar Water Plant Hack

/in


Anatomy of the Oldsmar Water Plant Attack

The FBI, the Department of Homeland Security, the U.S. Secret Service and the Pinellas County Sheriff’s Office are investigating the attack in Oldsmar, and it is unclear where the attack originated from and what the motivations of the attacker or attackers were.

According to a Massachusetts state advisory describing FBI findings on the attack, on Feb. 5, unidentified malicious actors “obtained unauthorized access, on two separate occasions, approximately five hours apart, to the supervisory control and data acquisition (SCADA) system” used at the plant.

They accessed the SCADA system “via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process.”

According to ProPublica, the city had actually stopped using TeamViewer six months earlier, but never disconnected the program.

LEARN MORE: What are the main security vulnerabilities in a smart city?

Alarmingly, according to the advisory, all computers used by personnel at the Oldsmar plant were connected to the SCADA system and used an outdated, 32-bit version of the Windows 7 operating system. Even more worrisome, the Massachusetts advisory states, “computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”

A plant operator noticed the first intrusion, according to ProPublica, but “didn’t think much of it” Pinellas County Sheriff Bob Gualtieri said at a news conference. It wasn’t until after the second intrusion, when the attacker took over a computer and changed the amount of sodium hydroxide in the water from 100 parts per million to 1,100 parts per million, that the plant worker alerted his boss. The worker lowered the levels of sodium hydroxide and the city called the county sheriff’s office three hours later, ProPublica reports.

“This is dangerous stuff,” Gualtieri said, according to The New York Times. “It’s a bad act. It’s a bad actor. It’s not just a little…

Source…

Small Kansas water utility system hacking highlights risks

/in


ELLSWORTH, Kan. (AP) — A former Kansas utility worker has been charged with remotely tampering with a public water system’s cleaning procedures, highlighting the difficulty smaller utilities face in protecting against hackers.

Wyatt Travnichek, 22, was charged last month with remotely accessing the Post Rock Rural Water District’s systems in March 2019, about two months after he quit his job with the utility. He’s accused of shutting down the facility’s cleaning and disinfecting procedures.

When he worked for the utility, he would monitor the water plant remotely by logging into its computer system, the Kansas City Star reports.


The federal indictment says Travnichek used a Samsung phone to commit the offense. Post Rock utility officials declined to provide further details. Travnichek’s attorney, a federal public defender, didn’t respond to the Star’s request for comment.

No centralized database of hacker attacks on utilities exists, but a 2016 report from the federal Department of Energy said the Department of Homeland Security responded to 25 water cybersecurity incidents in 2015.

The Florida city of Oldsmar, population 15,000, reported in February that a hacker attempted to poison its water supply by remotely accessing its system and changing chemical levels. An employee was able to quickly reverse the hacker’s actions.

Small utilities such as Post Rock may not have the resources to hire dedicated information technology staff. Commonly their employees juggle multiple roles, including cybersecurity.

“As far as cities having an IT person, I just don’t know of any our size,” said Bill Shroyer, assistant city administrator in Sabetha, in northern Kansas, and president of the Kansas Rural Water Association. “And if we did have an IT person, they better know how to repair pot holes, fix water leaks, pick up snow and everything else that we do.”

Security experts say the Post Rock case could be as simple as officials failing to revoke Travnichek’s electronic access after he quit. The indictment doesn’t specify…

Source…

Employee Indicted for Hacking Kansas Water Utility and Trying to Shut Down Key Systems

/in


A federal grand jury is indicting a 22-year-old guy over accusations that he tampered with a public water system. Dude allegedly hacked into a computer system that controls a rural water utility in Ellsworth County, Kansas, then messing with the virtual processes that affect procedures for cleaning and disinfecting drinking water.



As if we didn’t have enough risks to drinking water to manage.

© Photo: Tony Gutierrez (AP)
As if we didn’t have enough risks to drinking water to manage.

On March 31, Wyatt Travnichek was charged with one count of tampering with a public water system and one count of reckless damage to a protected computer during unauthorized access. If convicted, he’ll face up to 25 years in prison and $500,000 in fines.

Loading...

Load Error

The story is pretty wild. Travnichek actually worked at the water district, which services more than 1,500 retail customers and 10 wholesale customers in eight Kansas counties, from January 2018 to January 2019. Part of his role was to virtually monitor its water plant after hours by remotely log into the district’s computer system, so in a sense he was just doing his old job.

The Department of Justice alleges that he logged on with the intention to harm, though thankfully, according to Cyberscoop, no one was harmed. According to the indictment, Travnichek “accessed a protected computer without authorization,” then remotely logged on and “performed activities that shut down processes at the facility which affect the facility’s cleaning and disinfecting procedures.”

“By illegally tampering with a public drinking water system, the defendant threatened the safety and health of an entire community,” Lance Ehrig, Special Agent in Charge of EPA’s Criminal Investigation Division in Kansas, said in a statement. “EPA and its law enforcement partners are committed to upholding the laws designed to protect our drinking water systems from harm or threat of harm. Today’s indictment sends a clear message that individuals who intentionally violate these laws will be vigorously prosecuted.”

The Crisis at a Florida Wastewater Reservoir Show the Risks of Our Weak Infrastructure

What’s even more bonkers than this guy’s actions, though, was that he was able to carry them…

Source…