Three times in the last seven months attackers have gained access to the networks at wastewater treatment facilities in the United States and installed ransomware on the facilities’ networks, affecting the SCADA systems and disrupting some operations.
In a new advisory about attacks targeting water and wastewater systems (WWS), U.S. cybersecurity officials revealed the three intrusions, and said that the ongoing operations against those facilities are significant and “threatens the ability of WWS facilities to provide clean, potable water”. The three intrusions happened at different facilities and each involved a different type of ransomware, but all of them had an effect on the SCADA system in the facility, with one forcing personnel to operate the treatment facility manually while the SCADA system was offline.
The advisory from the Cybersecurity and Infrastructure Security Agency (CISA), NSA, and Environmental Protection Agency sys that the ongoing attacks against WWS facilities are being conducted by both known and unknown actors, and are targeting both facilities in the U.S. and those owned and operated abroad by the Department of Defense.
“This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities,” the advisory says.
In one of the intrusions, at a WWS facility in California in August, the attackers used a variant of the Ghost ransomware and had access to the network for several weeks before they were noticed.
“The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message,” the advisory says.
“When organizations integrate IT with OT systems, attackers can gain access—either purposefully or inadvertently—to OT assets."
A month earlier, an actor was able to remotely access a WWS in Maine and install the ZuCalNo ransomware on the facility’s SCADA system. That incident forced the facility’s team to operate it manually until the SCADA system could be restored. And in March, attackers hit a WWS facility in Nevada with an unknown ransomware variant.
The challenge for WWS operators and other critical infrastructure operators is that they have to defend both operational technology (OT) and IT networks, each of which has unique defensive principles and requirements. OT networks often include devices and controllers that don’t have the same type of access controls and defensive technologies that systems on an IT network do, so they make tempting targets for attackers looking to gain deep access to an organization. Ransomware actors and other groups have been targeting a variety of critical infrastructure (CI) operators for many years, but the attacks have ramped up recently and federal officials have said that a collaborative approach with input from the government and private sector CI operators is vital to keeping threats at bay, especially ransomware.
“We need to get after ransomware. There’s this denied area in foreign space where we can’t get at the people we know are responsible. That is the future, the next several years to knit together all those activities,” NSA Director of Cybersecurity Rob Joyce said last week.
The majority of CI is owned and operated by private companies, which adds to the challenge for government agencies such as CISA that are tasked with defending those networks on a national level. Many of the methods and tactics that actors use to attack CI networks are well known and understood, such as phishing, but they remain effective.
“Spearphishing is one of the most prevalent techniques used for initial access to IT networks. Personnel and their potential lack of cyber awareness are a vulnerability within an organization. Personnel may open malicious attachments or links to execute malicious payloads contained in emails from threat actors that have successfully bypassed email filtering controls,” the advisory says.
“When organizations integrate IT with OT systems, attackers can gain access—either purposefully or inadvertently—to OT assets after the IT network has been compromised through spearphishing and other techniques.”
CISA advises WWS operators to enable multi-factor authentication on accounts that require remote access to the OT network, and to implement blocklists and allowlists to limit the people who have remote access to the OT network.