A new study from Dragos has found that a water treatment plant in Oldsmar, Florida — where hackers attempted to poison the town’s water earlier this year — was also involved in another potential breach at the same time.
A browser being used on the plant’s network was traced back to a “watering hole” attack that was allegedly targeting water utilities across the country.
“We have medium confidence it did not directly compromise any organization,” the report said. “But it does represent an exposure risk to the water industry and highlights the importance of controlling access to untrusted websites, especially for Operational Technology and Industrial Control System environments.”
The tiny town in central Florida made national news in February when hackers gained remote access to systems at a local water plant and tried to elevate levels of certain chemicals which would have been poisonous to the town’s residents. The attack was stopped before the water levels could be changed but the situation, like the recent ransomware attack on Colonial Pipeline, put a spotlight on how unprotected much of the critical infrastructure in the US is.
Researchers with Dragos found that the WordPress website of a water infrastructure construction company in Florida was “hosting malicious code” in the footer file of their website as a way to lure in operators at water utilities in the state and elsewhere. The attackers allegedly took advantage of one of the many vulnerabilities that can be found in WordPress’ plugins and inserted the code, which Dragos identified as the Tofsee malware, at some point in December 2020.
The report found that the website with the malicious code “was visited by a browser from the city of Oldsmar” on February 5 at 9:49 am, the same day of the poisoning event.
The water plant in Oldsmar was far from the only organization that visited the site with the malicious code, according to the report. Dragos researchers found that between December 2020 and February 16, when the vulnerability was dealt with, more than 1,000 computers across the country were “profiled by the malicious code.”
Dozens of computers from state and local government agencies, water industry-related private companies, municipal water utility customers, and others visited the site during that two month span, according to Dragos.
Despite visiting the site on the same day of the attack, the watering hole attack was not connected to the poisoning attack, Dragos reiterated.
“We do not understand why the adversary chose this specific Florida water construction company site to compromise and to host their code. Interestingly, and unlike other watering hole attacks, the code did not deliver exploits or attempt to achieve access to victim computers,” Dragos researchers wrote.
“With the forensic information we collected so far, Dragos’ best assessment is that an actor deployed the watering hole on the water infrastructure construction company site to collect legitimate browser data for the purpose of improving the botnet malware’s ability to impersonate legitimate web browser activity,” the report said.
Cybersecurity experts noted that the report confirmed what many have said for years about the country’s inability to protect vital infrastructure from cyberattacks.
ThycoticCentrify vice president Bill O’Neill said the report was just another example of how organizations are dealing with a slate of vulnerabilities that can be exploited at any moment by attackers.
“Attacks like these make it abundantly clear that we’re entering a new era of digital warfare. A digital Pearl Harbor has long been a fear of experts as our adversaries look to cause disturbances amongst our critical infrastructure,” O’Neill said. “Any major attack on our energy, water, or transportation systems could accomplish that.”
Yaniv Bar-Dayan, CEO of Vulcan Cyber, explained that the watering hole attack had the makings of a very sophisticated attack and noted that it all started with a “lowly, vulnerable WordPress plugin.”
“Vulnerability remediation is the dirty job of the cyber security industry. Nobody really likes to do it, and it doesn’t get the attention and resources it deserves until it’s too late,” Bar-Dayan said. “These days, a WordPress plugin vulnerability can lead to the poisoning of a water supply or the taking down of an oil pipeline.”
Other experts said the findings simply confirmed the need for constant updates to be made to an organization’s content management system. The attack also highlighted how hackers use some efforts to learn what works and gather data as opposed to leveraging vulnerabilities for any specific action, according to New Net Technologies security research vice president Dirk Schrader.
“For those on the defense, it confirms the need to maintain a high level of cyber hygiene and to be able to detect any malicious changes in the infrastructure,” Schrader said.