US govt reveals three more ransomware attacks on water treatment plants this year

Ransomware gangs have silently hit three US water and wastewater treatment facilities this year, in 2021, the US government said in a joint cybersecurity advisory published today by the FBI, NSA, CISA, and the EPA.

The attacks —which had been previously unreported— took place in March, July, and August and hit facilities in Nevada, Maine, and California, respectively.

The attacks led to the threat actors encrypting files, and in one case, even corrupting a computer used to control the SCADA industrial equipment deployed inside the treatment plant.

The three new incidents [see below] were listed as examples of what could happen when water treatment facilities ignore and fail to secure their computer networks.

• In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS [water and wastewater system] facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
• In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility's wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.
• In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim's SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).

Two other examples from previous years were also included in the joint advisory:

• In September 2020, personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system.
• In March 2019, a former employee at Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer [see media coverage].

Three incidents that were not included in the joint advisory but which also hit water treatment had been widely reported also included:

• In January 2021, a hacker tried to poison a water treatment plant that served parts of the San Francisco Bay Area [see media coverage].
• In February 2021, a hacker tried to alter chemical levels at the WWS facility in Oldsmar, Florida. The intrusion was detected right away, and the hacker's modifications were reversed. [see media coverage]
• In May 2021, hackers breached the network of the Belle Vernon Municipal Authority in Pennsylvania [see media coverage].

The four US government agencies said that the joint advisory published today does not show an uptick in cyber activity targeting US water systems.

Instead, they said that while attacks on other sectors are more common, any malicious activity targeting the US water system "threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities," hence a reason to be proactive in making sure the security posture of these facilities is up to par with the role they play.

"CISA, FBI, EPA, and NSA strongly urge organizations to implement the measures described in the Recommended Mitigations section of this advisory," the four agencies said.