U.S. security agencies revealed that preliminary information from the Oldsmar water plant hack suggests that the unidentified cyber actors likely accessed the water treatment system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system.
The hackers would have possibly obtained unauthorized access to the supervisory control and data acquisition (SCADA) system, indicating that it is likely that ‘a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system’ according to an advisory issued last week.
Security experts had said soon after the Oldsmar water plant hack was disclosed that the TeamViewer software could have been compromised. It has been publicly acknowledged that an operator machine had a remote access software package – TeamViewer – installed and accessible to the Internet, wrote Ben Miller, an executive at cybersecurity company Dragos in a blog post. This led to manipulation of control set points for the dosing rate of sodium hydroxide into the water, he added.
The joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). Onsite response to the Oldsmar water plant hack is provided by Pinellas County Sheriff Office (PCSO), U.S. Secret Service (USSS), and the FBI.
The agencies detected a pattern of corrupt insiders and outside cyber actors using desktop sharing software to victimize targets in a range of organizations, including those in the critical infrastructure sectors. In addition, cyber criminals targeted and exploited desktop sharing software and computer networks running operating systems with end of life status, to gain unauthorized access to systems.
Apart from this advisory, the Commonwealth of Massachusetts issued a cybersecurity advisory for public water suppliers, detailing how these agencies can protect themselves from cyber attacks on water supplies.
Details from the Massachusetts agency reveal that the water treatment plant’s SCADA controls using TeamViewer remote access software were installed on one of several computers by the water treatment plant personnel, which were used to conduct system status checks and respond to alarms or any other issues that arose during the water treatment process.
“All computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed,” the advisory discloses.
Computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system, which has become susceptible to exploitation due to lack of security updates and the discovery of new vulnerabilities.
Last January, Microsoft ended support for the Windows 7 operating system, along with security updates and technical support, unless certain users purchased an Extended Security Update (ESU) plan, according to the advisory issued by the U.S. security agencies. The ESU plan is paid per-device and available for Windows 7 Professional and Enterprise versions, with an increasing price the longer a customer continues use. Microsoft will only offer the ESU plan until January 2023. Continued use of Windows 7 increases the risk of cyber actor exploitation of a computer system.
Hackers continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits. Microsoft released an emergency patch for its older operating systems, including Windows 7, after an information security researcher discovered an RDP vulnerability in May 2019.
From the end of July 2019, malicious RDP activity has increased with the development of a working commercial exploit for the vulnerability, the U.S. security agencies noted. Cyber actors often use misconfigured or improperly secured RDP access controls to conduct cyberattacks. The xDedic Marketplace, taken down by law enforcement in 2019, flourished by compromising RDP vulnerabilities around the world.
The Oldsmar water plant hack puts the spotlight on data from industrial cybersecurity company Claroty, which reveals a 25 percent rise for the second half of 2020 in industrial control system (ICS) vulnerabilities compared to 2019, with over 70 percent of flaws remotely exploitable through network attack vectors. Among various critical infrastructure sectors, water and wastewater saw an increase in disclosed ICS cybersecurity vulnerabilities of 54 percent from the second half of 2019 and 63 percent from the second half of 2018.
“More sophisticated bad actors are also likely looking at this event as a reminder of the potential and now the ease of targeting such operations,” wrote Curtis Simpson, CISO at security firm Armis, in a blog post. “Unfortunately, the ransom that could be demanded if a bad actor was able to gain full control of such a utility management system would likely be unparalleled- and they’ve just been reminded of how easy this may be to execute.”
“Unfortunately, this is not the first, and probably not the last attack on critical infrastructure,” industrial cybersecurity firm OTORIO said in a blog post. “Attacks across all sectors are growing bolder, more frequent, and exponentially more expensive for the victims. As operational networks become more connected, they are receiving special attention from attackers. These networks control the heart of critical operations. They make up the essence of operational continuity.”
“Every water facility (I know of) has that exact risk scenario – both abusing remote access and manipulating water treatment – on their radar,” wrote ICS cybersecurity expert Sarah Fluchs, on LinkedIn. “I’m not saying you can’t / shouldn’t defend against attack like these. Just saying the incident is probably not going to shock water utilities as much as the security bubble expects. Water utilities are not clueless regarding cybersecurity, and yes, they likely know about the pitfalls of [teamviewer],” she added.
Shifting the focus to better OT infrastructure control can provide a full audit trail and give ICS administrators the intelligence, insights and ability to roll back to a ‘last known good state,’ wrote Barak Perelman, vice president for OT security at Tenable, in a blog post.
“OT environments are core to the operation of nearly all critical infrastructure and manufacturing facilities,” Perelman added. “Our need to secure these critical environments against threats is as important, if not more, than securing our IT infrastructures which are connected to them. Gaining visibility, security and control over OT environments is crucial – lives literally depend on it.”