Water utility contractor hosted malicious code that led to Oldsmar plant hack

malicious code

Dragos researchers have discovered an unnamed Florida water utility contractor hosted malicious code on their website, which seemingly targeted water utilities, particularly in Florida. More significantly, the code was accessed by a browser from the city of Oldsmar on the same day of the poisoning event at the city’s water utility.  

The hacker is believed to have inserted the malicious code into the footer file of the WordPress-based site associated with a Florida water infrastructure construction company, Dragos pointed out in its report that it describes, as an ‘investigative anecdote.’ 

With the forensic information we collected so far, Dragos’ best assessment is that an actor deployed the watering hole on the water infrastructure construction company site to collect legitimate browser data for the purpose of improving the botnet malware’s ability to impersonate legitimate web browser activity,” Dragos researcher Kent Backman wrote in the post. “The adversary possibly exploited one of the multiple vulnerable WordPress plugins that Dragos determined were in use on the site at the time of compromise,” he added.

Dragos was able to identify exactly one other internet site that hosted the complex code and served it to visiting internet browsers, DarkTeam Store. DarkTeam Store claims to be a dark market that supplies thousands of customers with gift cards and accounts. On further investigation, Dragos revealed that at least a portion of this site may not actually be a dark market, but rather a check-in place for systems infected with a recent variant of botnet malware known as ‘Tofsee.’ 

Additionally, Dragos found evidence showing that the DarkTeam store and the water infrastructure construction company website were subverted by the same actor on Dec. 20. The malicious data gathering campaign affected computer systems for a 58-day window. 

The website, which belonged to a Florida water utility contractor, had been compromised in late December by hackers who then hosted malicious code that seemed to target water utilities, particularly those in Florida, Backman wrote. Over 1,000 end-user computers visited the site during the 58-day window that the site was infected, he added.

Dragos assisted with malicious code identification and initial remediation of the compromised website in February, according to Backman. Those who interacted with the malicious code included computers from municipal water utility customers, state and local government agencies, various water industry-related private companies, and normal internet bot and website crawler traffic. Over 1000 end-user computers were profiled by the malicious code during that time, mostly from within the U.S. and the state of Florida, he added.

Dragos was unable to understand why the hacker zeroed in on the Florida water construction company site to compromise and to host their code. “Interestingly, and unlike other watering hole attacks, the code did not deliver exploits or attempt to achieve access to victim computers. It is possible the actor believed that the water infrastructure construction website would allow more dwell time to collect data important for the actor’s objectives, than perhaps a busier but more closely monitored website with a dedicated security team,” it added.

Several elements early in Dragos’ investigation suggest a highly potent and dangerous threat to water utilities, including the Florida-focused watering hole, temporal correlation to the Oldsmar event, highly encoded and sophisticated JavaScript, few code locations on the internet, and known industrial control system (ICS)-targeting activity groups that use watering holes as initial access including Dymalloy, Allanite and Raspite. 

Further investigation revealed a less ominous threat but provided an excellent lesson in alerting the industry early to potential threats, while continuing the investigation until the full scope and intent of the events can be understood.

“This is not a typical watering hole. We have medium confidence it did not directly compromise any organization,” Backman said. “But it does represent an exposure risk to the water industry and highlights the importance of controlling access to untrusted websites, especially for Operational Technology (OT) and Industrial Control System (ICS) environments,” he added.

In February, unidentified cyber attackers gained access twice in a single day to a panel that controls the water treatment plant at the Oldsmar water treatment plant. The initial intrusion was detected by a plant operator, who noticed that someone had remotely accessed the computer system, which controls the chemicals and other operations of the water treatment plant, the plant officials said at that time. The software was set up to allow remote access to certain authorized users for troubleshooting problems from other locations.

The staffer did not at first think much about the intrusion. But later in the day, another intervention was detected, this time with the hacker taking control of the mouse and operating the computer system remotely, and opening various functions on the screen for about three to five minutes. 

One of the functions opened was one that controlled the amount of sodium hydroxide in the water. The hacker increased the sodium hydroxide levels in the water from about 100 parts-per-million (ppm) to about 11,100 ppm, increasing it to extremely dangerous levels in the water systems, the officials said. 

U.S. security agencies subsequently revealed that preliminary information suggested that the hackers would have possibly obtained unauthorized access to the SCADA system, thereby exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system.

Last month, U.S. Environmental Protection Agency (EPA) released its 2021 notice of funding available to implement newer approaches including cybersecurity and green infrastructure, besides boosting investment in critical water infrastructure through innovative and flexible financing that can support a number of projects in both large and small communities.

Malware, vulnerabilities targeting OT systems surge

Increasing threats of vulnerabilities are steadily rising, particularly in sensitive areas such as OT systems and network devices, putting vital infrastructure at risk, according to data released by Skybox Research

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on whatsapp


Join over 5,000 Industrial OT & Cyber professionals

Weekly Newsletter direct to your inbox