Vertical markets, Americas, Content

Water Supply Cyberattack: Did Hackers Leverage TeamViewer, Hit Microsoft Windows 7?

A chilling attempt to poison a Florida town’s water treatment plant by unknown hackers was dashed in progress by a quick thinking employee, a report said.

Moreover, the attack may have involved hackers leveraging TeamViewer remote control software to target PCs that run Microsoft's antiquated Windows 7 operating system. In a February 11 alert about the water treatment facility attack, the Cybersecurity Infrastructure and Security Agency (CISA) mentioned both of those software packages without specifically stating they were used in the attack.

A reminder to market laggards: Microsoft ended support for Windows 7 on January 14, 2020. An Extended Security Update (ESU) plan is available until January 2023 -- but Microsoft gradually increases the price of that ESU to inspire customer migrations to Windows 10. Continued use of Windows 7, the CISA alert says, "increases the risk of cyber actor exploitation of a computer system."

Microsoft released Windows 7 in 2009. It stuck around on some systems because the follow-up Windows 8 release (2012) wasn't user friendly. Windows 10 finally arrived in 2015 as the preferred path forward for most PCs.

Water Supply Hacker Attack: How It Was Stopped

The cyber crew reportedly gained remote access to the city of Oldsmar’s (near Tampa) water supply and tried to contaminate it with high levels of sodium hydrochloride (lye), a highly caustic chemical, Bob Gualtieri, Pinellas County sheriff, said, according to a Tampa Bay Times report. Lye is water soluble and is commonly used to purify drinking water to reduce the levels of toxic metals. However, in large amounts it can cause chemical burns.

Oldsmar provides water to some 15,000 citizens and businesses, Gualtieri said. At no time was the city’s water supply was not affected, he said. The Federal Bureau of Investigation, the Secret Service and the Sheriff’s office are investigating but the unknown perpetrators remain at large at this point. Gualtieri said nearly townships have been informed of the attack.

Here’s what happened, according to the Tampa Bay Times report:

  • A plant operator was monitoring the system and noticed that someone had accessed it. He didn’t think much of it because his supervisor remotely accessed the system regularly.
  • But then someone entered the system again, accessed software that controls water treatment and increased the amount of lye from 100 parts per million to 11,100 parts per million.
  • When the attacker left the system, the operator immediately changed the concentration back to 100 parts per million.

“The guy was sitting there monitoring the computer as he’s supposed to and all of a sudden he sees a window pop up that the computer has been accessed,” Gualtieri said. “The next thing you know someone is dragging the mouse and clicking around and opening programs and manipulating the system.” Fortunately, the hack had no “significant adverse effect on the water being treated,” the sheriff said. Oldsmar residents were never at risk because it would have taken more than a day for the water to enter the water supply, he said.

U.S. Infrastructure and Cyberattacks: Painful Reminder

The incident is a stark reminder that security breaches to the nation’s critical infrastructure could be life threatening. What damage could have been done if the plant operator hadn’t been monitoring the system, said Lynsey Wolf, senior counter-insider threat analyst, security and business intelligence at Dtex Systems, a San Jose, California-based cyber intelligence provider. “The question providers of critical infrastructure need to be asking themselves is, if this were to happen within their organization during the hours that the plant operator was not monitoring their computer, would they have caught this attack before any real, life-threatening damage was done?” Wolf said. “The moment an outsider breaches an organization they become an insider threat.”

It doesn’t take a highly skilled attacker to execute a breach against systems such as Oldsmar’s water treatment plant, said Chloé Messdaghi, strategy vice president at Point3 Security, a Baltimore, Maryland-headquartered security information provider. “Water plants are not known for their security resources, and between budget cuts and Covid keeping people working remotely, they’re even more vulnerable," Messdaghi said. “It’s becoming more and more easy to access systems like these by people who have hardly any experience at all.”

U.S. Cybersecurity Strategy: President Biden's Moves

Meanwhile, the Biden administration making multiple cybersecurity moves to coordinate and strengthen cyber policies and infrastructure protection across the country.

Additional insights from Joe Panettieri.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.