Breaking News
More () »

Security firm: Oldsmar water plant intrusion happened same day worker visited malicious website

The incident "highlights the importance of controlling access to untrusted websites," security company Dragos wrote.

OLDSMAR, Fla. — A person on the city of Oldsmar's computer network went to a website that had been compromised with malicious code on the same day someone accessed its water system and changed chemical levels to poisonous levels, security company Dragos said in a blog post.

Although the code likely did not lead to the actual intrusion, the company in part said the threat "does represent an exposure risk to the water industry and highlights the importance of controlling access to untrusted websites."

Pinellas County Sheriff Bob Gualtieri announced Monday, Feb. 8, that on the previous Friday, an operator at Oldsmar's water treatment plant noticed the cursor on his computer screen moving around. It was during this instance that the person on the other end was making changes to the facility's systems and controls.

RELATED: 'This is dangerous stuff': Hacker increased chemical level at Oldsmar's city water system, sheriff says

Those adjustments, if they weren't caught in time, could have poisoned the water supply for a city of about 15,000 people. The intruder changed levels of sodium hydroxide, or lye, from 100 parts per million to 11,100 parts per million. The chemical helps to control pH levels in the water but at such a high level, it is considered corrosive to any human tissue it touches.

Author Kent Backman with Dragos wrote the company in its investigation discovered the malicious computer code on the website of an unnamed Florida water utility contractor. The code was placed seemingly to target water utilities and, as Dragos found, had been accessed more than 1,000 times during the course of a 58-day window starting in December 2020.

Backman wrote this type of security threat is called a "watering hole" attack, which researchers say is an exploit where the attacker "infects websites that are frequently visited by members of the group being attacked [in this case, a Florida water utility contractor website that would be visited by people within that industry], with a goal of infecting a computer used by one of the targeted group when they visit the infected website."

It's believed the code was deployed to collect data "for the purpose of improving the botnet malware's ability to impersonate legitimate web browser activity," Dragos said. This includes more than 100 pieces of information, including the computer's operating system, browser, touch points, input methods, time zone, screen dimensions, browser plugins and more.

But what's odd in the Oldsmar incident, Backman wrote, is that the code did not "attempt to achieve access to victim computers." Instead, it appeared to collect data to potentially mask an actual attack in the future.

"This is not a typical watering hole," Dragos said. "We have medium confidence it did not directly compromise any organization. But it does represent an exposure risk to the water industry and highlights the importance of controlling access to untrusted websites, especially for Operational Technology (OT) and Industrial Control System (ICS) environments."

Remote-access software TeamViewer was installed at the Oldsmar plant, Gualtieri told Reuters at the time. In this case, a user was able to remotely access the water treatment plant's systems without actually being at the facility. ArsTechnica reported, citing an advisory from the state of Massachusetts, that employees at the Oldsmar plant shared the same password to remotely log in.

That in and of itself is a big security blunder.

RELATED: Oldsmar water treatment plant hack: 5 things to know about water safety, other cyberattacks

Water treatment and sewage plants are some of the most vulnerable critical infrastructure targets in the U.S., said Lesley Carhart, a principal threat analyst at Dragos, speaking with Wired Magazine. Although she said it's likely people are gaining access to sensitive information, intrusions rarely have an impact on the real world.

An exception: the recent ransomware attack on the operator of the nation's largest fuel pipeline, Colonial Pipeline. Operators shut down the pipeline to potentially prevent other operational controls from being infected, the Associated Press reported, but it led to a halt in fuel supplies and panic buying at gas stations.

The City of Oldsmar says it was not involved in the report compiled by Dragos. City Manager Al Braithwaite sent the following statement to 10 Tampa Bay:

"The Dragos report was compiled without any input or involvement from the City. As the investigation continues, the City will not be commenting further at this time."

What other people are reading right now:

►Breaking news and weather alerts: Get the free 10 Tampa Bay app

Stay In the Know! Sign up now for the Brightside Blend Newsletter

Before You Leave, Check This Out