New Cyber Attacks Hit Water and Wastewater Systems

In October, the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) put out an alert that went largely unnoticed. The alert was entitled, Ongoing Cyber Threats to U.S. Water and Wastewater Systems. Now, on the surface, this seems like it should have set off some alarms in the mainstream media, but, mostly there was silence. In fact, it becomes clear from the first paragraph of the alert that this is a more serious threat than the title indicates as both the F.B.I. and the N.S.A. were involved in this investigation. The alert was released to highlight malicious activity that “threatens the ability of WWS (Water and Wastewater Systems) facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities.” So, apparently, bad actors are trying to take control of water supply systems and wastewater treatment facilities, but to what end?

Well, that’s the first place the report falls short. Like most of these reports, you have to read between the lines. Why are they choosing this time to put out this alert? What do they know that they’re not telling us? Who is behind these attacks? All we know is that these water facilities were targeted and are being targeted by “both known and unknown actors”.

It is often the case that these agencies put out an alert when an attack is in progress but not yet announced to the general public. They do this so that, when the attack is finally announced, it appears as if they were ahead of the game. It’s a sort of marketing ploy to legitimize the existence of these agencies. So it would not surprise me if this is the case here and that we will learn of an attack on a WWS facility in the near future.

That said, the alert surprisingly admits to three cyber attacks on WWS facilities that were not previously reported. All of these targeted SCADA (supervisory control and data acquisition) system components, which is disturbing because this is the computer network component which sets the operating parameters and monitors machine operations. All of these previously unreported attacks were ransomware-based. Ransomware groups aren’t out to make a political statement. They exist for the sole purpose of making money. They do this through threats of releasing data or shutting down a network. The threat of shutting down or poisoning a water supply system is a serious one that would almost guarantee some ransomware payment because the alternative for not paying would be unthinkable. In fact, the reason that hacking groups are attacking WWS facilities may be that those attacked have so readily paid the ransom in the past. This is the same reason why ransomware groups target the healthcare sector. It’s guaranteed income.

That’s the good news for the ransomware group. The bad news for the group is that WWS facilities are considered critical infrastructure and hacking into critical infrastructure is considered an act of terrorism. Many successful ransomware groups avoid hacking anything connected to critical infrastructure because it will immediately attract the attention of the U.S. intelligence community who will actively pursue them. My guess is that these WWS attacks were performed by a minor ransomware group who were so happy to hack into anything and make money that they brushed aside, or simply weren’t aware of, the penalties for performing a terrorist attack.

 I could find no WWS hacks on the main ransomware group sites that I follow on the deep web, however, a relatively new group called, Hive, admits to hacking into a company called WAMGROUP.

 This is a large international corporation. One of its divisions, WAM USA, produces components for use in waste treatment plants. I located its main plant in Georgia and was surprised to be greeted with the following notice.

That’s the first time I’ve ever been welcomed with such a notice so you’d have to wonder who the intended audience is. In addition, the link given from the Hive site on the deep web has been blocked, seeming to indicate that the company knows it has been hacked. No data has been released yet so I have to assume that negotiations are ongoing.

Unlike other ransomware groups, Hive actively seeks out healthcare networks, probably for an easy payoff. This penchant, and more precisely the attack on Ohio’s Memorial Health System, led the F.B.I. to issue a warning about the group on August 25th. It explains that “Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.”

If WAMGROUP or WAM USA was hacked, and it appears that it was, then the hackers would be perfectly positioned to perform a supply chain attack on any wastewater treatment plant that used its products. Ransomware groups could use these connections to get some cash. However, if the same hack was performed by a nation-state, we have a whole new set of problems. Although we have no evidence to link this group to any foreign entity, it is interesting to note that the time of encryption would indicate a foreign base for this group such as Russia or Iran.

This brings us to the Conti ransomware group which is, indeed, a major gang affiliated with the FIN12 hacking group that operates out of Russia. They are financially motivated to the point that they don’t want to waste time in long negotiations with victims. This is why they prefer easy targets like healthcare. Recently, they seem to have updated their business model. At the top of their leaks page are companies they have apparently breached but have not monetized. As they write under these companies, “we are looking for a buyer to access the network of this organization and sell data from their network.” The syntax here is a little confusing but it appears that Conti will sell the access to the breached company to maybe another ransomware group so that they can monetize it. In other words, they’re saying, “we don’t have time to negotiate with these guys, but if you want to do it, pay us and take your shot.” Now, one of these companies they don’t want to deal with is Iowa-based Shimberg Company. One reason for shunning this company may be for what it produces.

Since this company is part of the critical infrastructure supply chain, Conti may not want to get involved in an activity that could put them at risk at being branded as a terrorist group. This might be a good time to give a heads-up to specific companies associated with Schimberg such as Pentair.

This is just one company. There are many more. So if your company deals with machines or components from Schimberg or any business connected to it, be on the lookout for phishing emails or signs of a network breach.

So who may be interested in access to the supply chain of critical U.S. infrastructure? You guessed it; malicious nation-states. They may not want to stage an actual attack that would bring down the infrastructure, but they’d be willing to pay to maintain that access just in case. In other words, if a cyberwar between the U.S. and an adversary ever materialized, the adversary would be in a position to assert itself. Other U.S. companies that Conti lists also have this connection to critical infrastructure. They include Vaughn Industries of Ohio. But the access to other companies may be being sold simply because they were just too hard to deal with.

The problem with the Conti business model is that companies, like Schimberg, could learn that they have been compromised and begin to take actions to prevent any further damage, but that may not be as easy as it sounds. Supply chains are very long. Sure, Schimberg may clean up its network, but the malware designers may have already moved on to other members in the supply chain.

In the end, we can assume that there is, indeed, a real threat to water and wastewater facilities. These threats can either be monetized, especially by ransomware groups, or positioned into cyber attack infrastructure by malicious nation-states. More importantly, access to the supply chain can be used to begin a number of attacks such as we saw in the SolarWinds attack which temporarily reduced gasoline supplies in the U.S. The problem is that these supply chain attacks don’t go away because the supply chains are simply so long that some companies may not even realize that they are part of it. For example, the same group behind the SolarWinds attack is still causing problems. According to Microsoft, “Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government.”

One such company, Cloudstar was recently attacked by the Pysa ransomware group and, despite Cloudstar announcing on October 8th that all was well, the criminals had already released many gigabytes of data. So how exactly is everything so wonderful? But here’s what’s worse. Cloudstar is connected to Microsoft, state and federal government agencies, the U.S. military. Google Cloud, and Amazon AWS. What could possibly go wrong? You wouldn’t think that the Russian government would be interested in this supply chain, would you? Yeah, we haven’t heard the end of this one. And one more thing; Cloudstar helps design cybersecurity infrastructure…oops.

You may believe that your company is safe because it is not directly connected to a WWS facility. However, supply chains are long and complex and you may be connected even if you’re not aware of it. In any event, it’s good to keep one thing in mind. Over 70% of these attacks begin with a sophisticated spearphishing email targeting one of your employees, so, if you want to avoid the cost and embarrassment of a supply chain attack, invest in the best endpoint protection you can get.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s