Compromise of U.S. Water Treatment Facility

Summary

On February 5, 2021, unknown cyber actors attained unauthorized accessibility to the supervisory manage and data acquisition (SCADA) procedure at a U.S. drinking water therapy plant. The unidentified actors applied the SCADA system’s application to improve the sum of sodium hydroxide, also identified as lye, a caustic chemical, as aspect of the drinking water treatment procedure. H2o cure plant personnel instantly noticed the transform in dosing amounts and corrected the issue right before the SCADA system’s software package detected the manipulation and alarmed due to the unauthorized improve. As a consequence, the h2o remedy system remained unaffected and ongoing to function as normal. The cyber actors possible accessed the technique by exploiting cybersecurity weaknesses, which includes very poor password security, and an out-of-date operating technique. Early data suggests it is attainable that a desktop sharing software package, this sort of as TeamViewer, could have been made use of to achieve unauthorized accessibility to the process. Onsite reaction to the incident provided Pinellas County Sheriff Office environment (PCSO), U.S. Mystery Provider (USSS), and the Federal Bureau of Investigation (FBI).

The FBI, the Cybersecurity and Infrastructure Protection Agency (CISA), the Environmental Defense Company (EPA), and the Multi-State Details Sharing and Evaluation Center (MS-ISAC) have observed cyber criminals concentrating on and exploiting desktop sharing software package and laptop or computer networks running working units with conclude of everyday living standing to acquire unauthorized entry to systems. Desktop sharing application, which has many legit uses—such as enabling telework, remote specialized help, and file transfers—can also be exploited by way of malicious actors’ use of social engineering tactics and other illicit measures. Home windows 7 will turn out to be additional inclined to exploitation because of to lack of security updates and the discovery of new vulnerabilities. Microsoft and other sector pros strongly endorse upgrading pc techniques to an actively supported operating technique. Continuing to use any working technique in an enterprise further than the finish of life standing may perhaps present cyber criminals entry into personal computer methods.

Click here for a PDF edition of this report.

Technical Information

Desktop Sharing Software program

The FBI, CISA, EPA, and MS-ISAC have observed corrupt insiders and outdoors cyber actors using desktop sharing application to victimize targets in a selection of organizations, including those in the critical infrastructure sectors. In addition to modifying technique operations, cyber actors also use the next procedures:

  • Use obtain granted by desktop sharing computer software to accomplish fraudulent wire transfers.
  • Inject destructive code that lets the cyber actors to
    • Hide desktop sharing software program home windows,
    • Guard destructive data files from remaining detected, and
    • Manage desktop sharing computer software startup parameters to obfuscate their activity.
  • Shift laterally throughout a network to improve the scope of exercise.

TeamViewer, a desktop sharing software, is a authentic preferred instrument that has been exploited by cyber actors engaged in targeted social engineering attacks, as properly as massive scale, indiscriminate phishing campaigns. Desktop sharing computer software can also be utilised by workers with vindictive and/or larcenous motivations versus companies.

Further than its respectable employs, TeamViewer enables cyber actors to physical exercise remote control more than pc methods and fall information onto target pcs, producing it functionally comparable to Distant Accessibility Trojans (RATs). TeamViewer’s reputable use, however, helps make anomalous action considerably less suspicious to close people and system directors as opposed to RATs.

Home windows 7 End of Lifetime

On January 14, 2020, Microsoft finished assist for the Home windows 7 functioning procedure, which includes security updates and technical help until specific buyers purchased an Extended Stability Update (ESU) program. The ESU plan is paid for each-device and offered for Windows 7 Qualified and Company variations, with an raising price the more time a purchaser continues use. Microsoft will only supply the ESU program until eventually January 2023. Continued use of Windows 7 boosts the chance of cyber actor exploitation of a pc procedure.

Cyber actors go on to find entry points into legacy Windows operating programs and leverage Remote Desktop Protocol (RDP) exploits. Microsoft introduced an unexpected emergency patch for its more mature operating devices, such as Windows 7, right after an information and facts security researcher found an RDP vulnerability in May perhaps 2019. Considering that the end of July 2019, malicious RDP activity has improved with the enhancement of a functioning business exploit for the vulnerability. Cyber actors typically use misconfigured or improperly secured RDP access controls to conduct cyberattacks. The xDedic Marketplace, taken down by regulation enforcement in 2019, flourished by compromising RDP vulnerabilities around the earth.

Mitigations

Basic Recommendations

The subsequent cyber cleanliness steps may perhaps support secure from the aforementioned plan:

  • Update to the newest version of the running method (e.g., Windows 10).
  • Use many-variable authentication.
  • Use robust passwords to secure Distant Desktop Protocol (RDP) qualifications.
  • Assure anti-virus, spam filters, and firewalls are up to date, appropriately configured, and safe.
  • Audit network configurations and isolate laptop units that can not be up-to-date.
  • Audit your community for units applying RDP, closing unused RDP ports, implementing many-issue authentication where ever feasible, and logging RDP login makes an attempt.
  • Audit logs for all distant connection protocols.
  • Educate end users to detect and report attempts at social engineering.
  • Detect and suspend entry of buyers exhibiting abnormal action.

H2o and Wastewater Techniques Safety Suggestions

The following actual physical stability actions provide as further protective measures:

  • Install independent cyber-physical protection devices. These are systems that physically stop unsafe situations from occurring if the manage program is compromised by a threat actor.
    • Examples of cyber-physical protection process controls incorporate:
      • Sizing of the chemical pump
      • Size of the chemical reservoir
      • Gearing on valves
      • Force switches, and so on.

The benefit of these varieties of controls in the water sector is that scaled-down systems, with constrained cybersecurity capability, can assess their process from a worst-case circumstance. The operators can just take actual physical methods to restrict the harm. If, for instance, cyber actors obtain manage of a sodium hydroxide pump, they will be not able to elevate the pH to harmful concentrations.

TeamViewer Program Recommendations

For a far more secured implementation of TeamViewer computer software:

  • Do not use unattended access characteristics, such as “Start TeamViewer with Windows” and “Grant straightforward entry.”
  • Configure TeamViewer provider to “manual start off,” so that the application and linked background providers are stopped when not in use.
  • Established random passwords to crank out 10-character alphanumeric passwords.
  • If working with private passwords, use intricate rotating passwords of varying lengths. Notice: TeamViewer will allow consumers to transform connection passwords for each new session. If an conclude consumer chooses this possibility, in no way help save link passwords as an solution as they can be leveraged for persistence.
  • When configuring entry control for a host, benefit from custom configurations to tier the entry a distant celebration might endeavor to purchase.
  • Need distant get together to get confirmation from the host to gain any obtain other than “view only.” Carrying out so will be certain that, if an unauthorized celebration is in a position to join by way of TeamViewer, they will only see a locked monitor and will not have keyboard handle.
  • Make use of the ‘Block and Allow’ checklist which permits a consumer to control which other organizational people of TeamViewer may well request obtain to the program. This listing can also be utilised to block people suspected of unauthorized obtain.

Get in touch with Details

To report suspicious or criminal exercise similar to facts uncovered in this Joint Cybersecurity Advisory, call your regional FBI discipline business at www.fbi.gov/get hold of-us/subject, or the FBI’s 24/7 Cyber Enjoy (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov or your local WMD Coordinator. When offered, please consist of the next information about the incident: day, time, and site of the incident variety of activity variety of people influenced type of devices utilised for the action the name of the distributing organization or organization and a designated level of contact.

To ask for incident reaction means or complex support linked to these threats, get hold of CISA at Central@cisa.dhs.gov.

Revisions

February 11, 2021: Initial Variation

This product is delivered subject to this Notification and this Privacy & Use plan.