In a super-villain style plot, cybercriminals hacked Odsmar’s water supply and tried to poison the drinking water of this small town in Florida, USA. Hackers accessed a computer in the facility that is used for running remote control software TeamViever, raising sodium hydroxide – aka lye levels.
This attack comes after numerous warnings by cybersecurity experts that future attacks will target critical infrastructures and potentially endanger thousands. It is yet uknown which security protocols were in place that prevented the attackers from gaining full access to the system.
Sheriff Bob Gualtieri said in a press conference that there were fail-safes and alarms in place to prevent tainted water from reaching the town’s residents. Due to them, even though criminals hacked Odsmar’s water supply, the 15 thousand people who live there were not in great danger.
What Actually Happened in Odsmar
The attack took place at around 8 in the morning on 5 February. An employee of the water treatment plant saw his mouse cursor move across his screen, seemingly without his control. At first, this did not bother him too much as the plant uses TeamViewer – and his boss often connects to his PC to monitor the system.
However, a few hours later, the mouse started moving again. This time he was sure it was not his boss or the IT team. The cursor was clicking through the plant’s controls. Seconds later, the intruder was trying to change the sodium hydroxide levels. Lye – or caustic soda, was then set from 100 parts per million to 11,100 parts per million.
This substance generally regulates the PH levels of portable water. But at high levels, lye is extremely damaging to human tissue it comes into contact.
Luckily, the employee caught the hacker virtually red-handed in the act. So he was able to return the sodium hydroxide levels to normal. But, had it not been for his quick reaction, the poisoned water could have reached Odsmar’s residents in 24-36 hours. However, authorities claim that even in that eventuality the automated PH testing safeguards would have triggered an alarm and caught the change before anyone was harmed.
In any case, this chain of events was provided by the local official. External security auditors are yet to corroborate that account. And, as this attack was an attempt at sabotaging critical US infrastructure, we should expect to hear from them as well.
“This is dangerous stuff. This is somebody that is trying, it appears on the surface, to do something bad,” said Bob Gualtieri, the sheriff of Pinellas County, Florida, of which Oldsmar is a part.
According to the US National Center for Biotechnology Information, contact with sodium hydroxide kills skin cells and causes hair loss. In cases of ingestion, the substance can be fatal.
Investigation and Response to the Water Supply Hack
Oldsmar is a small city northwest of Tampa, close to the James Stadium, which hosted the Super Bowl two days after the cyber-attack. Oldsmar gets its water from wells and its system is separate from other local communities.
The sheriff’s office began investigating the attack on Friday evening. It is still unknown whether the attack came from inside the county, Florida – or even the United States. However, the cybercriminals now definitely face felony charges – and, quite possibly, federal charges as well.
The hacked Odsmar’s water supply facility currently uses a somewhat outdated Widnows 7 as its operating system, a software that is more than 12 years old. Despite that, investigators are certain that this weakness did not provide the opening for this attack.
“There was software that allows remote access that was internet exposed, which means anyone could log in. To impact industrial systems you don’t need exploits. You just need to know how to use the system — in this case a human machine interface that operated the plant,” said Rob Lee, the CEO of cybersecurity firm Dragos.
Remote access software, like TeamViewer and Chrome in Oldsmar’s case, are very common on infrastructure sites.
The FBI’s field office in Tampa issued a statment confirming its participation in the investigation. FBI agents are working with the city and the sheriff’s office to find the people responsible for the hack.
TeamViewer, a German company with more than half a million customers around the world using commercial licenses, says that there was no indication of suspicious activity. However, investigations are ongoing.
However, there is evidence of comparable incidents. One of the incidets took place some twenty years ago in Maroochy, Australia. A disgruntled IT consultant at a sewage treatment plant, via remote access dumped raw sewage into local parks and rivers.
Similarly, in 2015 a Russian hacker group known as Sandworm, hijacked remote software – similar to TeamViewer, to open the circuit breakers in electric utilities in Ukraine. In turn, this attack left more than 250 thousand people without electricity in the middle of December. In 2016, Verizon Security Solutions stated that hackers broke into an unidentified water utility and messed with the chemical levels.
Are we seeing a pattern?
Yes, and to a large extent this pattern is not new. Over the years we got countless warnings by cyber security experts of precisely these types of attacks. And the infrastructure they target comes as no surprise.
Water treatment and sewage plans are very digitally vulnerable and seen as perfect infrastructure targets. Especially in the USA, given the budget cuts and remote work options due to the COVID-19 pandemic. In the case of some US cities, whole municipal water treatment plants depend of one IT specialist.