Verizon, Bay Area water plant hacked due to compromises in Pulse Connect Secure appliances

Telecommunications giant Verizon and the Metropolitan Water District of Southern California have allegedly been hacked by supposedly Chinese-backed hackers using security vulnerabilities in the Pulse Connect Secure appliances, which was first brought to the public’s attention in April by the Cybersecurity and Infrastructure Security Agency (CISA).

The Associated Press has learned that the hackers targeted Verizon, and security analysts say dozens of other high-value entities that have not yet been named, were also targeted as part of the breach of Pulse Secure, which is used by many companies and governments for secure remote access to their networks. 

Among the suspected targets was the Metropolitan Water District of Southern California, which provides water to nearly 19 million people living in Los Angeles, Orange, Riverside, San Bernardino, San Diego and Ventura counties.

Last month, Mandiant said that the loopholes have been exploited by a cyber threat attacker(s), since June last year or earlier, which “we believe are affiliated with the Chinese government.” FireEye’s Mandiant division has been tracking 16 malware families that were designed to infect Pulse Secure VPN appliances, and used by several cyberespionage groups. Mandiant Threat Intelligence assesses that Chinese cyber espionage activity has demonstrated a higher tolerance for risk and is less constrained by diplomatic pressures than previously characterized.

The CISA had warned of the potential threats faced by U.S. government agencies, critical infrastructure entities, and other private sector organizations, related to vulnerabilities in certain Ivanti Pulse Connect Secure appliances, a widely used SSL remote access solution. The exploitation of these vulnerabilities could allow an attacker to place webshells on the appliance to gain persistent system access into the appliance operating the vulnerable software. 

CISA has determined that the exploitation of Pulse Connect Secure products is based on the current exploitation of these vulnerabilities by hackers in external networks, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, high potential for a compromise of agency information systems, and the potential impact of a successful compromise.

The Pulse Connect Secure appliances are widely deployed SSL VPNs for organizations of any size, across every major industry. Pulse Connect Secure includes Pulse Secure Clients and the AppConnect SDK. Pulse Clients are dynamic, multiservice network clients for mobile and personal computing devices, while the Pulse Secure AppConnect SDK delivers per-application SSL VPN connectivity for iOS and Android clients, enabling IT to increase transparency and secure mobile app experience for their users. Pulse Connect Secure appliances allow enterprises to enable zero-trust secure access to hybrid IT resources for an increasingly mobile workforce.

The Water Sector Coordinating Council conducted in April a survey of U.S. water and wastewater utilities to better understand the sector’s cybersecurity challenges and needs. The responses revealed that many utilities are implementing cybersecurity best practices, but many others’ cybersecurity programs are incomplete. Close to 60 percent of respondents address cybersecurity in their overall risk assessments.

On Jan. 15, a hacker is reported to have tried to poison a water treatment plant that served parts of the San Francisco Bay Area, the country’s largest water agency. The hacker had the username and password for a former employee’s TeamViewer account, a program that enables users to remotely control their computers, according to a private report compiled by the Northern California Regional Intelligence Center in February and seen by NBC News. 

After logging in, the hacker, whose name and motive are unknown and who hasn’t been identified by law enforcement, deleted programs that the water plant used to treat drinking water. The hack wasn’t discovered until the following day, and the facility changed its passwords and reinstalled the programs.

“No failures were reported as a result of this incident, and no individuals in the city reported illness from water-related failures,” the report noted. It did not specify which water treatment plant had been breached.

Reacting to the Bay Area water plant hack, Vytautas Butrimas, a cybersecurity expert wrote in a post for SCADAsec, that “You must remember that if you[r] operation is considered critical infrastructure, it can be an attractive target for an adversary. Hurting your operations will also hurt your community and country in terms of people’s lives, damaged property and harm to the environment.”

This is not the first time that cybersecurity attackers have been able to remotely access controls of a water plant. In February, unidentified cyber attackers were able to gain access to a panel that controls the water treatment plant at the city of Oldsmar near Tampa, Florida. A modification in the setting would have drastically increased the amount of sodium hydroxide in the water supply, which could have led to poisoning the water supply to the city. 

The U.S. administration and industry has been in recent months responding to a series of cybersecurity incidents in the critical infrastructure sector. Some of these incidents have been carried out by malicious hackers seeking ransomware, such as the Colonial Pipeline attack, and the JBS meat supplier attack.

The Biden administration has responded by releasing security directive for the pipeline owners and operators to comply with, apart from warning critical infrastructure companies to carry out necessary measures to secure the sector. CISA released guidelines for critical infrastructure owners and operators to review their operational technology (OT) assets and control systems, in direct response to the recent increase in ransomware attacks. 

The U.S. administration also issued earlier this month a memo addressed to corporate executives and business leaders, stating that tackling cybersecurity incidents was a “top priority” for the U.S. administration, as the number and size of ransomware incidents have increased significantly. A bipartisan group of senators is also planning on legislation to require a wide range of businesses to report cyberattacks to the government within 24 hours or face the loss of their contracts and financial penalties.

Last week, the Senate confirmed Chris Inglis to be the National Cyber Director in the executive office of U.S. President Joe Biden. In his role, Inglis will coordinate federal agencies’ disparate work on cyber issues and oversee the development of the nation’s digital defense strategy, as the U.S. grapples with a series of cybersecurity issues, including ransomware attacks that have targeted the nation’s critical infrastructure and the continued fallout over the SolarWinds supply chain attack.

“After 11 long years, I’m thrilled the U.S. finally has a Senate-confirmed National Cyber Director in the White House,” Jim Langevin, U.S. Congressman for Rhode Island’s Second District, wrote in a Twitter message. “Congratulations, Chris! You certainly will have your hands full, but there’s no one better suited for this job than you.” 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.