The city of Oldsmar, Florida confirmed that it experienced an unlawful cyber intrusion on February 5, 2021. The intruder attacked the city’s water treatment facility by exploiting a dormant remote access software called TeamViewer to take control of their system settings. In the span of a few minutes, they altered the control set points for the dosing rate of sodium hydroxide (NaOH, commonly known as lye) into the water supply. Sodium hydroxide is used in the treatment of drinking water to raise the pH to a level that minimizes lead corrosion. While this caustic chemical is important in the treatment process, it can pose serious health threats and even death if consumed in large quantities.

Currently, the case is under ongoing investigation while officials clarify that the public was safe throughout the entire attack as there are multiple control systems continuously monitoring water quality parameters and providing real-time alerts.

The cyber intruder leveraged TeamViewer, legitimate remote accessing software used previously by the facility’s supervisors to monitor the water systems from outside workspaces. This software is directly installed on a Windows machine and allows convenient connectivity from any internet access.

Upon investigation, officials found that the software had not been used in nearly six months but remained in the system without proper management or password updates. In this case, the intruder did not expose any vulnerabilities in the software, rather just used it for unauthorized purposes outside of the facility’s remote access architecture. They simply obtained the password and remote accessed in. The password was most likely obtained through social engineering, phishing, or other brute-force methods.

Once the intruder remoted into the system, they were observed by the operating staff on duty raising the dose of sodium hydroxide from its normal set point of 100 parts-per-million (ppm) to 11,100 ppm. The operator was fortunately able to restore the normal operating parameters before it could trigger the system’s pH monitoring tools.

The attack on the Oldsmar water supply highlights the long-time concerns of experts in the cybersecurity field that as more critical infrastructures are computerized, they are more susceptible to hacks. Across the world, these infrastructures are migrating to digital systems allowing engineers and contractors to monitor data such as temperature/chemical/pressure levels from remote locations. Water, along with other vital infrastructures such as power grids, dams, and oil and gas pipelines are becoming easy targets for hackers especially if they are not well managed or funded. To date, the Oldsmar attack is one of the most successful cyberattacks on vital infrastructure yet.

The Cyber & Infrastructure Security Agency has released alert AA21-042A on this attack and given the below recommendations that covers important general cyber hygiene processes:

• Update to the latest version of the operating system (e.g., Windows 10).
• Use multiple-factor authentication and enforce strong passwords to protect Remote Desktop Protocol (RDP) credentials.
• Ensure anti-virus, spam filters, and firewalls are up-to-date, properly configured, and secure.
• Audit network configurations and isolate computer systems that cannot be updated.

• Audit your network for systems using RDP, closing unused RDP ports, applying multiple-factor authentication wherever possible, and logging RDP login attempts.
• Audit logs for all remote connection protocols.
• Train users to identify and report attempts at social engineering.
• Identify and suspend access of users exhibiting unusual activity.

For any of our partners currently using TeamViewer in their operations, follow the below recommendations to secure your use of the software:

• Do not use unattended access features, such as “Start TeamViewer with Windows” and “Grant easy access.”
• Configure TeamViewer service to “manual start,” so that the application and associated background services are stopped when not in use.
• Set random passwords to generate 10-character alphanumeric passwords.
• If using personal passwords, utilize complex rotating passwords of varying lengths. Note that TeamViewer allows users to change connection passwords for each new session. If an end user chooses this option, never save connection passwords as an option as they can be leveraged for persistence.
• When configuring access control for a host, utilize custom settings to tier the access a remote party may attempt to acquire.

• Require remote party to receive confirmation from the host to gain any access other than “view only.” Doing so will ensure that, if an unauthorized party is able to connect via TeamViewer, they will only see a locked screen and will not have keyboard control.
• Utilize the ‘Block and Allow’ list which enables a user to control which other organizational users of TeamViewer may request access to the system. This list can also be used to block users suspected of unauthorized access.

As our world continues to digitalize, you can protect your network against cyberattacks by partnering with Blackpoint. The best end-to-end security is a combination of both prevention and advanced tradecraft detection technologies that monitor account activity and behavior in real-time as well as a 24/7 active threat hunting and response service provided by experienced security analysts. Active threat hunting by analysts detects malicious activities in their earliest stages. Contact us to safeguard your business today.

• CISA Alert – Compromise of U.S. Water Treatment Facility (AA21-042A)

• Video – Press Conference held by Sheriff of Oldsmar, Florida