A coalition of federal agencies warned that hackers are targeting the water and wastewater treatment sectors.
In a joint advisory by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the U.S. EPA, and the National Security Agency (NSA), these organizations highlighted ongoing malicious cyber activity. This cyber activity is by both known and unknown actors and targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of the U.S. Water and Wastewater Systems (WWS) Sector facilities.
“This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities,” stated the advisory. “Note: although cyber threats across critical infrastructure sectors are increasing, this advisory does not intend to indicate greater targeting of the WWS Sector versus others.”
The advisory provides a threats overview, which includes spear phishing personnel to deliver malicious payloads, including ransomware. Other threats include insider threats from current or former employees who maintain improperly active credentials.
The joint advisory lists cyber intrusions from 2019 to early 2021 including:
- In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility;
- In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer;
- In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility;
- In September 2020, personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system; And
- In March 2019, a former employee at Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer.
Mitigations for the cyber threats recommended include: wastewater monitoring; remote access mitigations; network mitigations; planning and operational mitigations; and safety system mitigations.
