Water Plant in Florida Hacked
Researchers found several stolen credentials for a Florida water-treatment plant, which was hacked last week. Researchers at CyberNews found 11 credential pairs linked to the Oldsmar water plant. They also found 13 credential pairs in breaches that occurred just days before the attack. This collection was leaked on the RaidForums English-language cybercrime community on Feb. 2 and contains 3.27 billion unique combinations of cleartext email addresses and passwords in the database.
The attack on the Oldsmar water-treatment facility in Florida happened last Friday, when a hacker changed the level of sodium hydroxide, more commonly known as lye, in the water from 100 parts per million to 11,100 parts per million. The change was immediately detected by a plant operator, who changed the levels back before the hack had any impact on the system. According to a Massachusetts security advisory, the hackers accessed the water treatment plant's SCADA controls via TeamViewer, which is remote access software. TeamViewer was installed on computers by the water treatment plant, used by personnel to conduct system status checks and to respond to alarms or other issues that cropped up during the water treatment process.
All computers were connected to the SCADA system and used the 32-bit Windows 7. All computers also shared the same password for remote access and was connected directly to the Internet without any firewall protection. Researchers think that the hackers used the credentials acquired from an earlier breach in 2017. It's not clear how old the credentials are, and whether they are specific to TeamViewer.
Researchers believe that the attack was rolled out in multiple stages. The first stage was espionage and reconnaissance; looking at the ICS system, who controls it, what domain they use for emails, and whether they can be accepted as login usernames. The second stage involved a credential stuffing attack that would have provided hackers remote access to the system. In this attack, hackers build automated scripts that try stolen IDs and passwords against various accounts until a match is found.
The FBI and the U.S. Secret Service are still working together to investigate exactly what happened in the attack but do not believe it was state-sponsored. Authorities still don't know who was behind it, where the hackers are located and what their motive may be. The attack is a reminder of the catastrophic effect an attack on critical infrastructure can have on public safety, making the security of these systems a top concern, security experts said.