The UK Register reported that a “hacktivist” group with ties to Syria and ISIS infiltrated an American water utility’s control system and was temporarily able to change the levels of chemicals used to treat tap water. However, it appears that little to no damage occurred and the water treatment was corrected. The Register reports:
The cyber-attack is documented in this month’s IT security breach report (available here, registration required) from Verizon Security Solutions. The utility in question is refered to using a pseudonym, Kemuri Water Company (KWC), and its location is not revealed.
The hacktivists compromised KWC’s computers “by exploiting unpatched web vulnerabilities in its internet-facing customer payment portal,” Verizon’s RISK report states. It also reports that this isn’t the first time hacktivists have attacked targeted utilities.
Reports that hackers have breached water treatment plants are rare but not unprecedented. For example, computer screenshots posted online back in November 2011 purported to show the user interface used to monitor and control equipment at the Water and Sewer Department for the City of South Houston, Texas by hackers who claimed to control its systems. The claim followed attempts by the US Department of Homeland Security to dismiss a separate water utility hack claim days earlier.
More recently hackers caused “serious damage” after breaching a German steel mill and wrecking one of its blast furnaces, according to a German government agency. Hackers got into production systems after tricking victims with spear phishing emails, said the agency.
Spear phishing also seems to have played a role in attacks lining the BlackEnergy malware against power utilities in the Ukraine and other targets last December. The malware was used to steal user credentials as part of a complex attack that resulted in power outages that ultimately left more than 200,000 people temporarily without power on 23 December.
Fortunately, this time, the hacktivists unsuccessfully manipulated the valves that control the flow of chemicals– twice– because they didn’t know how to correctly use the SCADA systems, or they didn’t intend to cause any harm.
The UK Register also reported, in depth, of a similar security breach that occurred in Illinois based on disclosed contents of a November 10 report provided by an industrial control systems security expert, Joe Weiss, from the Illinois Statewide Terrorism and Intelligence Center. The report indicates that “attackers destroyed a pump belonging to a regional water utility in that state by hackers who gained access to supervisory control and data acquisition systems that manage the utility’s machinery. That report remains unconfirmed, although the DHS spokesman said officials from his agency and the FBI are investigating.”
However, if they didn’t mean to cause any harm, why did they have a need to “hack” the system?
And how has the Department of Homeland Security been unable to prevent these types of attacks?