Investigators suggest hackers exploited weak password security to breach Florida water facility
A clearer picture of poor security practices in Oldsmar, Florida prior to the dangerous hack of its water treatment plant is beginning to emerge, even as an investigation into the matter continues one week after the incident.
Three federal agencies teamed up with an organization that shares threat information between states to issue an alert late Thursday explaining how the breach, in which a hacker allegedly tried to raise sodium hydroxide levels to amounts that are harmful to humans, might have unfolded. Initial clues suggest the incident, which was detected before it amounted to a threat to public drinking water, was made possible by lax data protection strategies and exploitation of a software tool.
“The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system,” reads the alert from the FBI, Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, Environmental Protection Agency and Multi-State Information Sharing and Analysis Center. “Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system.”
An alert to public water suppliers that Massachusetts’ Department of Environmental Protection released earlier this week referenced another report from the FBI, DHS, Secret Service and the Pinellas County Sheriff’s Office which provided more detail that referenced the plant’s control systems, known as Supervisory Control and Data Acquisition (SCADA) systems.
“The unidentified actors accessed the water treatment plant’s SCADA controls via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process,” the department wrote. “All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system,” which Microsoft ended support for in January of last year.
“Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed,” the alert reads. A spokesperson for the Massachusetts department said the department received the details from the EPA.
Email addresses and passwords with the domains ci.oldsmar.fl.us and myoldsmar.com surfaced days before the breach in what’s being called the COMB data leak, for “Compilation of Many Breaches.” Credentials belonging to Oldsmar city employees were included in that leak as CyberNews first revealed and CyberScoop confirmed with Allan Liska, a senior security architect at Recorded Future who tracks dark web acitivity.
The name of the city’s director of public works from 2011 to 2015 also appears to have been included in the data leak, CyberScoop has determined. If that username and password combination were accurate, and unchanged since 2015, attackers could have used those credentials to glean valuable information that could be helpful for accessing the facility’s system.
However, some cybercriminal forum members had criticisms of the hacker who posted that data leak, saying that “files were corrupted, files were missing, the total number of credentials was smaller than advertised, and the data was of low quality,” said Ivan Righi, a cyber threat intelligence Analyst from Digital Shadows, which also track dark web activity.
The identity of the hacker, and definitive information about how outsides accessed the water facility’s systems, remains a mystery.
Chris Krebs, the former director of CISA, suggested during a Feb. 10 congressional hearing that an insider, perhaps a disgruntled employee, was “very likely” the perpetrator. The attacker may have been a foreign hacker, Krebs added, but cautioned observers not to “jump to a conclusion that it’s a sophisticated” group.
The cybersecurity firm Intel 471 on Friday said it had reexamined an incident from May of last year where likely Iranian hackers were attempting to sell access to a U.S. hydroelectric power plant.
“Further investigation found that what the actor was actually advertising was access to a water treatment plant in Florida, via a virtual network computing (VNC) permission that granted system access to a ‘Groundwater Recovery & Treatment System,'” the company wrote. “Additionally, one screenshot showed levels and controls for a sodium hydroxide pump.”
Intel 471 could not confirm or deny links between those hackers and Oldsmar, however.
There were other details about Oldsmar’s systems available to anyone on the web. McKim and Creed, an engineering, surveying and planning firm, posted images of the Oldsmar facility’s SCADA human-machine interface online in a promotion of its work with the city. That could’ve given hackers insight into how the plant operated.
The firm did not answer a request for comment, but shortly after CyberScoop reached out to the company that page was taken offline.
Felicia Donnelly, the assistant city manager for Oldsmar, referred questions to the Pinellas County Sheriff’s Office, citing the ongoing investigation. A spokesperson for the sherriff’s office offered a similar response.
“There is no update at this time,” said Alex Kowlaski. “As the investigation is still open and active, we cannot provide any further information.”
Sean Lyngaas contributed to this article.