[BreachExchange] US government discloses more ransomware attacks on water plants

[Terrell Byrd]

https://www.bleepingcomputer.com/news/security/us-government-discloses-more-ransomware-attacks-on-water-plants/

U.S. Water and Wastewater Systems (WWS) Sector facilities have been
breached multiple times in ransomware attacks during the last two years,
U.S. government agencies said in a joint advisory on Thursday.

The advisory also mentions ongoing malicious activity targeting WWS
facilities that could lead to ransomware attacks affecting their ability to
provide potable water by effectively managing their wastewater.

Since they are part of the 16 U.S. critical infrastructure sectors, their
compromise and incapacitation via spearphishing and outdated software
exploitation attacks would directly impact national security, economic
security, and public health or safety.

Multiple ransomware strains were used in the incidents revealed in this
advisory to encrypt water treatment facilities' systems, including Ghost,
ZuCaNo, and Makop ransomware:

In August 2021, malicious cyber actors used Ghost variant ransomware
against a California-based WWS facility. The ransomware variant had been in
the system for about a month and was discovered when three supervisory
control and data acquisition (SCADA) servers displayed a ransomware message.
In July 2021, cyber actors used remote access to introduce ZuCaNo
ransomware onto a Maine-based WWS facility's wastewater SCADA computer. The
treatment system was run manually until the SCADA computer was restored
using local control and more frequent operator rounds.
In March 2021, cyber actors used an unknown ransomware variant against a
Nevada-based WWS facility. The ransomware affected the victim's SCADA
system and backup systems. The SCADA system provides visibility and
monitoring but is not a full industrial control system (ICS).
In September 2020, personnel at a New Jersey-based WWS facility discovered
potential Makop ransomware had compromised files within their system.
Attackers had also infiltrated WWS plants' networks attempting to poison
the drinking water, as it happened in March 2019 when a former employee at
Kansas-based WWS facility failed in his attempt to use unrevoked
credentials for malicious purposes after he resigned.

While not included in the advisory, an unknown threat actor also gained
access to the water treatment system for Oldsmar, Florida, in February 2021
and tried to poison the town's drinking water by raising the levels of
chemicals used to clean wastewater to hazardous levels.

Other breaches of water treatment facilities have happened over the past
two decades, including a South Houston wastewater treatment plant in 2011,
a water company with outdated software and hardware equipment in 2016, the
Southern California Camrosa Water District in August 2020, and a
Pennsylvania water system in May 2021.

"To secure WWS facilities—including Department of Defense (DoD) water
treatment facilities in the United States and abroad— [..] , CISA, FBI,
EPA, and NSA strongly urge organizations to implement the measures
described in the Recommended Mitigations section of this advisory," the
joint advisory says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211015/25501018/attachment.html>