Hackers exploited shared passwords and obsolete Windows 7 OS to infiltrate Florida water treatment plant
Systems at the plant were connected directly to the Internet without any type of firewall protection installed and systems shared the same password
Weak network security measures and an obsolete version of Windows allowed hackers to compromise the computer systems at a water treatment plant in Oldsmar, Florida, and alter the chemical levels in the plant's water, federal investigators stated in an advisory issued this week.
According to government officials, computer systems at the Bruce T. Haddock Water Treatment Plant in Oldsmar were running on Windows 7, which has not received security updates from Microsoft for a year.
"The hackers also likely used the desktop sharing software TeamViewer to gain unauthorised access to the system," the officials stated.
They further revealed that all systems shared the same password for remote access and were connected directly to the Internet without any type of firewall protection.
The government advisory also stated that the unidentified attacker logged into the remote access TeamViewer software, accessed the supervisory control and data acquisition (SCADA) system and then attempted to increase sodium hydroxide levels by 100 times.
Sodium hydroxide, also known as lye, is used in small amounts to remove metals from water.
Fortunately the attacker's attempt to poison the water supply was stopped almost immediately. A supervisor tasked with monitoring the control systems noticed the mouse pointer on a plant console moving across the screen.
The supervisor also observed that the intruder had changed the "dosing amounts" settings on the system.
Senior officials at the plant were immediately reversed the changes, and the water treatment process was unaffected.
Had the alterations not been noticed, it would have taken about 24-36 hours to affect the water supply. However, a secondary chemical check would have detected the dangerous level of chemicals, and stopped water supply.
"In the industry, we were all expecting this to happen," Lesley Carhart, principal incident responder at Dragos Security, told Associated Press.
"We have known for a long time that municipal water utilities are extremely underfunded and under-resourced, and that makes them a soft target for cyberattacks."
Federal officials are currently trying to determine whether the hacker was domestic or foreign.
Security experts have repeated warned in recent year that cyber attacks against critical infrastructure in the US are on the rise.
In 2013, a Congressional report claimed that American utility providers were under constant assaults from hackers, with one electricity firm reporting 10,000 attempted cyber attacks in a single month.
In December 2016, Russian hackers planted malware in the network of Ukraine's national grid operator and used it just two days before Christmas, to trip each single circuit breaker in a power transmission station located close to Kyiv, Ukraine's capital.
Last month, the US government also acknowledged that hackers backed by a foreign government were able to breach the computer networks of the US Treasury Department and other federal agencies in a cyber-espionage campaign that also targeted several private firms in the country by compromising SolarWinds software.