Q&A: The Oldsmar Cyber Attack

HubSpot Video

How did hackers attempt to poison the water supply in Oldsmar, Florida?

Hackers obtained remote access to a workstation running the TeamViewer software attempting to increase the amount of lye in the water – which can be poisonous if consumed in great enough quantities.  The employee saw the attack take place as the hacker gained control of the computer through the TeamViewer software. 

Have cyber attacks been attempted against water treatment plants in the past?  

There have been several, documented cases where water treatment facilities have been targeted by hackers.  Perhaps the first was over two decades ago when a disgruntled employee at Maroochy Shire (Australia) took control of 142 pumping stations for three months and released over one million liters of sewage into local waterways. 

Other attacks against infrastructure in more recent years include a 2013 attack against a dam facility in New York, a series of Russian attacks against Ukrainian electrical infrastructure in 2015, and, perhaps one of the most famous infrastructure attacks, the 2010 Stuxnet attack against Iranian nuclear facilities at Natanz. 

How were the hackers able to remotely access the water treatment system? 

The computer controlling the system was connected to the Internet.  This differs from some previous attacks (i.e. Maroochy Bay and Stuxnet) where the systems were isolated from the Internet. In some ways, this makes things easier for the attackers. 

How was the TeamViewer software compromised in the attack?  

It is not clear precisely how TeamViewer was compromised – as the city of Oldsmar did not release those details yet.  While it is possible the hackers used brute-force methods to crack the login, a more likely scenario is they exploited a software vulnerability.  For example, a 2019 software vulnerability for certain versions of TeamViewer allows hackers to bypass access control mechanisms.  Using CYR3CON technology originally seeded at ASU, we have seen hacker discussions on this vulnerability in early-mid 2020 that included release of hacker tools to exploit it.  There are other potential vulnerabilities that could have been used in the attack as well. 

Who was behind the attack and how will investigators draw those conclusions? 

No official statement has been made as to potential culprits, though in most cases infrastructure attacks are attributed to nation states.  The reason for this is simple - criminal hackers will likely earn more money from non-infrastructure attacks.  Security researchers will examine the tactics, techniques, and procedures (TTPs) used by the hackers in the attack closely to find similarities with previous attacks – as was done in the December SolarWinds incident. 

What can organizations do to better protect critical infrastructure from cyber attacks? 

Critical infrastructure is inherently difficult to defend, as organizations have operational requirements.  For example, it likely is not possible to shut down a water treatment facility for an extended period of time to update computer systems on a regular basis.  Additionally, industrial hardware has a much longer lifespan than the associated software – and so maintenance protocols often are slow to address software that is vulnerable to exploitation by hackers. 

Key to resolving these issues is for owners of critical infrastructure to not only keep track of the various technology that runs these industrial systems, but also understand when new threats appear that are relevant to those systems.