Alleged Daixin hackers strike at NTMWD water utility, causing disruptions

Alleged Daixin hackers strike at NTMWD water utility, causing disruptions

The North Texas Municipal Water District (NTMWD) recently experienced a ‘cybersecurity incident,’ but officials have confirmed that water services remain unaffected. The incident primarily impacted the district’s business computer network and phone system based in Wylie. As a result, the organization is currently facing operational challenges. Serving a population of two million in North Texas, the attack has caused disruptions for the NTMWD utility.

The ransomware gang Daixin Team reportedly claimed responsibility for the attack Monday and said the data it obtained in its attack included names, dates of birth, and Social Security numbers. Experts believe that the group is relatively new and smaller than the Play and Royal gangs that attacked Dallas County and the city of Dallas, respectively.

Quoting authorities, the news report said that the ransomware gang has primarily focused its attention on healthcare and public health (HPH) organizations. Daixin appears to use several methods to gain access to systems, including phishing emails to access VPN (virtual private network) credentials and exploiting vulnerabilities in VPN servers to access a network.

Alex Johnson, director of communications for NTMWD, told Recorded Future News that they recently detected a cyberattack affecting their business computer network. “Most of our business network has been restored. Our core water, wastewater, and solid waste services to our Member Cities and Customers have not been impacted by this incident, and we continue to provide those services as usual,” he added.

“Our phone system was also affected by this incident, and we hope to have it back online this week,” Johnson identified. “NTMWD has engaged third-party forensic specialists who are actively investigating the extent of any unauthorized activity. The investigation is ongoing at this time and includes a review of any potentially impacted District data.”

NTMWD, which employs over 850 individuals, offers wholesale water, wastewater, and solid waste management services to more than 13 cities in the state, including Plano and Frisco.

The NTMWD cyber attack comes at a time when the Cybersecurity and Infrastructure Security Agency (CISA) is responding to the active exploitation of Unitronics programmable logic controllers (PLCs) used in the water and wastewater systems (WWS) sector. 

The Municipal Water Authority of Aliquippa confirmed on Saturday that one of their booster stations had fallen victim to a cyber attack orchestrated by an Iranian-backed cyber group. The CyberAv3ngers hackers managed to gain control over the station, which is situated on the outskirts of the town. This particular station is responsible for monitoring and regulating pressure for Raccoon and Potter Townships. As a result of the breach, an alarm was triggered immediately.

Hackers have likely accessed the affected device—a Unitronics Vision Series PLC with a Human Machine Interface (HMI)—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet. The Pennsylvania State Police is currently investigating the exploitation of the Unitronics PLCs.

Commenting on the cyber attacks in Pennsylvania and North Texas, Geoff Mattson, CEO at Xage Security wrote in an emailed statement that they “demonstrate that no matter the motive, critical infrastructure is in the crosshairs. Regardless of the reasoning, the fact that the adversaries were able to breach their IT and OT systems in the first place is concerning. Identity-first cybersecurity focuses on preventing the intrusion and lateral movement necessary to carry out attacks like these.” 

He added that most legacy solutions rely on a network-first approach, which falsely assumes that attackers can be kept out and that anything and anyone on the inside can be trusted. “The growing attacks show this is a categorically false assumption. The security industry needs to step up and do a better job protecting mission-critical environments, especially when human safety is at stake.”

Mattson said that although water supplies have not been affected so far, “cyber hardening is needed when it comes to operational technology systems deployed at plants like these, it’s paramount that identity-based controls are implemented to ensure that only authorized users can access the system, and only access the systems for the window of time needed to fulfill their task.”

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related