OLDSMAR, Fla. — An Oldsmar city computer reportedly visited a website hosting malicious code that targeted water utilities in the hours leading up to the city’s water treatment plan being hacked, a new report from the security firm Dragos said.
The Oldsmar water hack saw someone try to poison the water supply with lye, but it was discovered before any damage could be done. While the website ultimately didn’t play a role in the hack of the water supply system in Oldsmar, Dragos said the overall incident shined a light on IT security in the infrastructure in the United States.
The report, released Tuesday, found the website hosting the code was a Florida water utility contractor site. Dragos labeled the attack as a “watering hole attack.” According to the Computer Security Resource Center, a watering hole attack features an attacker “compromising a site likely to be visited by a particular group, rather than attacking the target group directly.”
In the case of the Oldsmar attack, Dragos found damaging code “inserted into the footer of a WordPress-based site associated with a Florida water infrastructure constructions company.” Dragos speculated the code was inserted through vulnerable WordPress plugins. Once the code was inserted into the legitimate site, the attackers began collecting information.
According to the Dragos report, the hack of the site started on December 20, 2020, and was on there until February 16, 2021. While the malicious code was live, the site interacted with “computers from municipal water utility customers, state and local government agencies, various water industry-related private companies, and normal internet bot and website crawler traffic.” Dragos said that over “1,000 end-user computers were profiled by the code” with most being in the U.S. and in the state of Florida.
For the Oldsmar attack, Dragos found a computer on a network belonging to the city went to the infected site at 9:49 a.m. on February 5, 2021. Dragos said the same network from the city was where an unknown actor, likely separate from the criminals who put the malicious code on the website, “reportedly compromised a water treatment control plant computer on the morning of February 5th and attempted to poison the water supply…”
As Dragos investigated, it was able to determine the malicious was able to gather more than 100 pieces of data about the visitors including: operating system and CPU, browser-type, touchpoints, input methods, presence of camera, microphone, video card display adapter details, video codecs, and more. The code led Dragos to a “Dark Market” online, but also exposed what Dragos felt was the true nature of the malicious code.
“Dragos’ best assessment is that an actor deployed the watering hole on the water infrastructure construction company site to collect legitimate browser data for the purpose of improving the botnet malware’s ability to impersonate legitimate web browser activity,” Dragos’ report found.
“We have medium confidence it (malicious code) did not directly compromise any organization,” the report said. “But it does represent an exposure risk to the water industry and highlights the importance of controlling access to untrusted websites, especially for Operational Technology (OT) and Industrial Control System (ICS) environments.”
The criminals who accessed the Oldsmar site did so due to lax security and shared passwords.. Specifically, the FBI said, “the cyber actors likely accessed the system by exploiting cybersecurity weaknesses including poor password security, and an outdated Windows 7 operating system to compromise software used to remotely manage water treatment. The actor also likely used the desktop sharing software TeamViewer to gain unauthorized access to the system.”