Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation

Hackers launched an attack on a wastewater treatment plant in Indiana, leading plant managers to deploy maintenance personnel to look into the suspicious activity on Friday, as reported by a local official to CNN. The official confirmed that Tipton Municipal Utilities was targeted, though it has not been compromised. 

“TMU experienced minimal disruption and remained operational at all times,” Jim Ankrum, general manager of Tipton Municipal Utilities, confirmed to the news agency.

Ankrum said federal authorities were investigating the incident. Industrial Cyber has contacted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and will update as the agency provides details. 

Meanwhile, a hacking group linked to Russia has taken responsibility for the Tipton Municipal Utilities attack. This same group also claimed involvement in a series of hacking incidents targeting water facilities in Texas earlier this year.

On Saturday, Russian-speaking hackers posted a video to social media claiming credit for a cyberattack on a TMU wastewater treatment plant. Ankrum told CNN he had not watched the video but emphasized that the plant continued to operate throughout the cyberattack.

Tipton Municipal Utilities provides electricity, water and wastewater treatment for Tipton, a town of 5,000 people that is about 40 miles north of Indianapolis. 

Commenting on the TMU attack, Roger Grimes, data-driven defense evangelist at KnowBe4, wrote in an emailed statement, “There’s not a lot of transparency going on at this point in time. The water plant said they were targeted, but not compromised. But if the hackers are manipulating water plant control software, that would suggest otherwise.”

He added, “It would be nice to get an answer on whether the hackers were or weren’t able to successfully operate the water plant software.”

The latest attack on Tipton Municipal Utilities appears to be the most recent attempt by a group of Russian-speaking hackers to target water facilities in small American towns.

Last week, Mandiant researchers provided details on APT44, identified as Russia’s infamous cyber sabotage unit known as Sandworm. APT44 primarily targets government, defense, transportation, energy, media, and civil society organizations in Russia’s near abroad. Government bodies and other Critical Infrastructure and Key Resources (CIKR) operators in Poland, Kazakhstan, and Russia have frequently been included in the group’s recent targeting.

Mandiant has observed that most of the attack-and-leak operations linked to GRU-affiliated Telegram personas have targeted Ukrainian entities. Despite this focus, the intrusion activity claimed by CyberArmyofRussia_Reborn has not been restricted to this scope.

“Between 17 and 18 January 2024, the group’s Telegram channel posted videos taking credit for the manipulation of human machine interfaces (HMI) controlling operational technology (OT) assets at Polish and U.S. water utilities,” the report detailed. “On 02 March 2024, the group posted an additional video claiming to disrupt electricity generation at a French hydroelectric facility by manipulating water levels. Each of the videos posted by CyberArmyofRussia_Reborn appears to show an actor haphazardly interacting with interfaces controlling the respective water or hydroelectric facilities’ OT assets.”

Mandiant cannot independently verify the above-claimed intrusion activity or its links to APT44 at this time. “However, we note that officials from the affected U.S. utilities later publicly acknowledged incidents at entities advertised as victims in the CyberArmyofRussia_Reborn video.” 

The firm added that approximately two weeks after the Telegram post taking credit for the U.S. targeting, a local official publicly confirmed a ‘system malfunction’ that led to a tank overflowing at one of the claimed victim facilities. “This activity was reportedly part of a series of cyber incidents impacting multiple local U.S. water infrastructure systems that stemmed from ‘vendor software they use that keeps their water systems remotely accessible.’”

Amidst the rise in cyber attacks against U.S. water installations, two Congressmen have introduced a bill aimed at safeguarding water systems from cyber threats. The proposed legislation includes the establishment of a Water Risk and Resilience Organization tasked with developing risk and resilience standards specifically tailored for the water sector.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.