A cyberattacker attempted to poison a Florida municipality’s water supply by breaking into the city’s water treatment plant systems. On February 5, an operator at the water treatment plant for the City of Oldsmar in Pinellas County noticed someone controlling his mouse. The operator didn’t think much of the activity at first, reported WTSP-TV.
The computer system he was monitoring at the time came with remote access software that supervisors used to troubleshoot from different locations. But there was no doubt when the operator witnessed his cursor open up various functions on the screen and adjust the amount of sodium hydroxide in the water from 100 ppm to 11,100 ppm.
Per the University of Florida Academic Health Center, sodium hydroxide poisoning can cause breathing difficulties, burns of the esophagus and stomach, vision loss, shock and/or holes in the skin or tissue under the skin. It was unclear as of this writing whether the levels to which the attacker adjusted the water’s sodium hydroxide would have produced these symptoms.
In response to the observed attack, the operator immediately reduced the sodium hydroxide in the water to their previous levels. This early intervention prevented the sodium hydroxide from reaching 11,100 ppm, a process which according to CNN would have taken 24-36 hours.
Oldsmar Mayor Eric Seidel and City Manager Al Braithwaite noted that there were also several fail-safes and alarm systems in place at the water treatment plant that would have prevented the sodium hydroxide from reaching those levels even if the operator hadn’t noticed the change.
Braithwaite went on to explain that the water treatment plant had temporarily disabled the remote access software while it worked to help to prevent a security incident similar to this one from occurring in the future.
In a press briefing on February 8, Pinellas County Sheriff Bob Gualtieri said that the identity of the individuals responsible for this attack were unknown but that he was working on a few leads as part of his ongoing investigation with the FBI and the U.S. Secret Service.
Meanwhile, U.S. Senator Marco Rubio (R-Florida) tweeted out that the attack “should be treated as a matter of national security.”
Cybereason’s Insight into the Attack
To gain some expert perspective on the attack, I spoke with Cybereason CSO Sam Curry. Here’s what he had to say.
David Bisson: What does this attack say about the broader digital threat landscape?
Sam Curry: With the U.S. Secret Service and FBI involved in trying to identify the cyber culprits who tried to poison Oldsmar’s water supply, this is another reminder that cyber threats against critical infrastructure networks are real. For nearly one year since the beginning of the COVID-19 pandemic, threat actors have carried numerous acts of war against research companies, hospitals and other first responders. These attacks have been brazen, shocking and downright maniacal.
DB: Interesting. Was there anything that shocked you about this attack in particular?
SC: What's surprising about the manipulation of chemical levels in Florida’s water supply is the bad actors tipped their hands without first doing proofs of concept or stockpiling attacks for later use. What we don’t know is whether any successful attacks have taken place over the past few months and just haven’t been publicly covered in the news.
DB: That’s a good point. And what about the attackers? Any idea who they could be or who’d want to launch an attack like this?
SC: It is premature to infer what the motive of the attackers was and who they are. The actors at this point could be script kiddies, terrorists, criminals, agents of a nation state or any other actor. The correct response should be due process: investigate, understand, learn, improve, follow the investigation and data and constantly get better. Acts of war are determined by the state and among states. The details thus far are scant, but we will all be listening to the postmortem, and we hope the current administration provides a deeper response and holds the adversaries responsible for this act responsible. To be clear, the investigation is what matters. Where it leads, who it involves and how we interpret that all remain to be determined.
DB: Understood. So where does that leave organizations in the meantime?
SC: These types of attacks show how organizations can no longer rely on Indicators of Compromise (IOCs) to keep themselves safe from attackers. Not when malicious actors are launching unique attacks for individual targets. We’re entering a new phase of digital security where it’s all about using Indicators of Behavior (IOBs) to understand the entire attack chain and detect threats earlier. If organizations want to minimize their chances of a breach, that’s the direction they need to go in.
Organizations don’t need to go it alone in this regard. Learn how Cybereason can help.