A hacker who last week tried to poison a Florida city’s water supply used a remote access software platform that had been dormant for months, Pinellas County Sheriff Bob Gualtieri told CNN on Tuesday.
The cyber-intruder got into Oldsmar’s water treatment system twice on Friday — at 8 a.m. and 1:30 p.m. — through a dormant software called TeamViewer. The software hadn’t been used in about six months but was still on the system.
“How they got in, whether it was through a password or through something else, I can’t tell you that,” said Gualtieri.
However, Oldsmar’s assistant city manager, Felicia Donnelly, told CNN that a password was required for the system to be controlled remotely.
TeamViewer, which is based in Germany and has more than half a million customers around the world using commercial licenses, said that there was no indication of suspicious activity.
“Based on cooperative information sharing, a diligent technical investigation did not find any indication for suspicious connection activity via our platform,” TeamViewer spokesperson Martina Dier told CNN on Wednesday.
Once inside the system, the hacker adjusted the level of sodium hydroxide, or lye, to more than 100 times its normal levels, Gualtieri said. The system’s operator noticed the intrusion and immediately reduced the level back. At no time was there a significant adverse effect to the city’s water supply, and the public was never in danger, he said.
The identity of the hacker, or hackers, isn’t yet known. Gualtieri praised the operator who spotted the attack on Friday and said current and former employees have been interviewed after early consideration of an insider threat. There are currently no suspicions or indications that’s the case, he said.
The incident highlights how some critical infrastructure systems are vulnerable to hacking because they are online and use remote access programs, sometimes with lax security.
Vulnerabilities in critical infrastructure systems
Gualtieri said the water treatment facility currently uses a Google Chrome product for remote access. The Oldsmar water treatment system is also using the Windows 7 operating system, which was released in 2009, a source familiar with the investigation said.
The outdated operating system was not the weakness here given that the hacker did not exploit a vulnerability, according to Rob Lee, the CEO of cybersecurity firm Dragos.
“There was software that allows remote access that was internet exposed, which means anyone could log in,” he said. “To impact industrial systems you don’t need exploits. You just need to know how to use the system — in this case a human machine interface that operated the plant.”
Remote access software, like TeamViewer and Chrome in Oldsmar’s case, are extremely common on infrastructure sites, Lee said. That makes them targets.
“The reality is though for thousands of sites, especially amongst the smaller community members, this same scenario is possible,” he said.
Chris Krebs, the former director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, wrote on Wednesday that the Oldsmar hack highlights how dire the challenge is.
“Unfortunately, that water treatment facility is the rule rather than the exception,” Krebs wrote in a column for The Hill. “When an organization is struggling to make payroll and to keep systems on a generation of technology created in the last decade, even the basics in cybersecurity often are out of reach.”
Importance of remote access software
Lee said this type of attack is precisely what keeps industry experts awake at night.
“It was not particularly sophisticated, but it’s exactly what folks worry about, and as one of a very few examples of someone making an attempt to hurt people, it’s a big deal for that reason,” Lee said.
However, Gualtieri rejected speculation that the attack wasn’t sophisticated.
“It could be that somebody somehow compromised the password and the password got out. Or it could be pretty sophisticated where you’ve got somebody who’s doing what intrusion hackers do: looking out there all the time for potential vulnerabilities and administrator credentials,” he said.
Gualtieri said the potential danger of an attack like this should prompt a discussion about remote access to software, adding that he’d never seen an attack like this.
“This is a new one for us,” the sheriff said.
Damon Small, the technical director of security consulting at NCC Group North America, told CNN that remote access was a key part of critical infrastructure and cautioned against demonizing it.
“Remote access is used all the time. That’s not the failure here. The failure was that someone got ahold of it,” he said.
Israel reaches out to US investigators
Gualtieri said the county is coordinating with the FBI and US Secret Service, but the county is taking the lead on the investigation, using an in-house lab for the forensic analysis of the attack.
Asked why the Secret Service is involved, Gualtieri pointed to their work on computer fraud and agreed Sunday’s Super Bowl in Tampa “certainly has something to do with it,” given that the attack happened Friday. The attack was reported to the FBI’s Joint Terrorism Task Force, which the Secret Service is a part of, “so they were involved at that point.”
Israel’s National Cyber Directorate (NCD), the cybersecurity government agency, said Wednesday they had reached out to counterparts in the US investigating the Oldsmar hack.
“The Israel National Cyber Directorate has contacted its US equivalents about the case (in Oldsmar, FL) as part of standard and accepted information-sharing in the cyber field, which is intended to learn from other cases in the world and augment the methods of resistance,” the institution said in a statement.
Last April, Israeli water facilities were targeted in an attack that NCD head Yigal Unna described as a “changing point in the history of modern cyber warfare.” He said the facilities were targeted in a “synchronized and organized attack aimed at our water systems.”
Had the attack been successful, Unna said, it could have caused significant damage to civilian water supplies. He also appeared to suggest the hack targeted chlorine flow into water treatment units, which could have been harmful to public health.
In his May 2020 presentation to an online CyberTech conference, the NCD head did not say who he believed was behind the attack in Israel, but noted it had not been accompanied by the type of ransom demands or attempt to gain financially that would be expected if it had been carried out by cyber criminals.