Suspected Russian Hackers Target Texas Water Facility in Cyberattack, According to Cybersecurity Experts
Experts from US cybersecurity firm Mandiant have identified a hacking group with Russian government ties as the likely culprits behind a cyberattack on a Texas water facility. The attack, which occurred in January, resulted in a tank at the facility overflowing, highlighting the potential threat posed by cybercriminals.
A cyberattack in January, suspected to be carried out by a hacking group linked to the Russian government, caused a tank at a Texas water facility to overflow, according to experts from US cybersecurity firm Mandiant. The incident took place in the small town of Muleshoe, in north Texas. Coincidentally, at least two other towns in north Texas also noticed suspicious cyber activity on their networks and took precautionary defensive measures, as town officials informed CNN. The FBI has been conducting an investigation into the hacking activity, according to one of the officials.
The recent attack on a US water facility by hackers targeting sensitive industrial equipment is a rare occurrence. This incident follows a cyberattack last November on a Pennsylvania water plant, which US officials attributed to Iran.
The cyber incidents in Texas have prompted a public appeal from US national security adviser Jake Sullivan. He urged state officials and water authorities to enhance their cyber defenses in light of the growing threat. Sullivan, along with the Environmental Protection Agency chief, emphasized the importance of improving defenses against cyberattacks on water and wastewater systems across the United States.
US officials are worried about the 150,000 public water systems in the country facing challenges in dealing with hacking threats from criminals and state actors.
The hacking incidents in Texas did not receive much national attention initially, with uncertainty about the perpetrators. However, Mandiant recently connected the hackers responsible for the Muleshoe attack to a known unit of Russia's GRU military intelligence agency on a social media platform called Telegram.
Mandiant analysts mentioned that it was uncertain whether the cyberattack on Muleshoe’s water facility was orchestrated by the GRU or if other Russian-speaking hackers using the same persona were taking credit for the hack.
Fortunately, the series of incidents did not impact the drinking water in the towns. However, if it is proven that the GRU or one of its proxies was indeed involved, this would represent a significant escalation in targeting US critical infrastructure by a Russian group that typically concentrates on Ukraine.
In a town called Muleshoe with a population of around 5,000 people, hackers managed to breach a remote login system used for industrial software. This software allows operators to control a water tank, as reported by city manager Ramon Sanchez to CNN. The water tank ended up overflowing for about 30 to 45 minutes until officials in Muleshoe detected the breach, shut down the hacked system, and switched to manual operations, as mentioned by Sanchez in an email. Following the incident, Muleshoe officials took immediate action by replacing the compromised software system and implementing additional security measures to safeguard the network.
According to Gus Serino, a cybersecurity expert specializing in the water sector and serving as the president of security firm I&C Secure, water utilities are increasingly becoming targets for cyberattacks. Serino highlighted that adversaries are exploiting easily accessible vulnerabilities, such as services directly linked to the internet.
Serino informed CNN that regulations have not mandated the addressing of this easily achievable goal. He emphasized the importance of taking care of the fundamental tasks.
In October, the EPA had to withdraw a critical cybersecurity regulation for public water systems due to a legal dispute brought by Republican attorneys general.
Anne Neuberger, deputy national security adviser for cyber and emerging technology at the White House, emphasized the importance of implementing simple measures to prevent cyber attacks on water systems. She stated to CNN on Tuesday that the EPA rule could have helped in this regard. Despite recent attacks, Neuberger assured that efforts are ongoing to secure Americans' water systems by urging owners and operators to enhance their digital security measures.
Additionally, Neuberger highlighted that the Biden-Harris administration has been actively working with state officials to develop security plans for safeguarding water systems from potential cyber threats. This collaborative effort aims to strengthen the resilience of water infrastructure across the country and protect communities from disruptions caused by cyber attacks.
Concern arose in the region following the hack in Muleshoe. Town officials in Lockney, located approximately 75 miles east of Muleshoe, reported detecting "suspicious activity" on the town's SCADA system. SCADA is an industrial computer network that assists in overseeing water plants, as explained by Buster Poling, Lockney's city manager, to CNN.
In the nearby city of Hale Center, hackers attempted to break into the town's "firewall," according to city manager Mike Cypert. This prompted the town to disable remote access to its SCADA system, as Cypert informed CNN via email.
Neither Cypert nor Poling disclosed the identity of the hackers behind the cyberattacks. Poling mentioned that he suspected they were from a foreign country but did not provide further details.
Poling believes that the hackers were attempting to gain access to the town's water wells. However, he mentioned that town officials were able to detect the threat early on and stop the hackers from causing any harm.
In a phone interview with CNN, Poling shared, "I've never encountered this situation before, but we are mindful of the potential threats." He also mentioned that the FBI is currently looking into the incident.
The FBI has chosen not to provide a comment on the matter. CNN has reached out to the Russian Embassy in Washington, DC, for their response to the hacking incidents.
In a statement to CNN, EPA spokesperson Nick Conger explained, "Due to the ongoing investigation, EPA is unable to comment on this particular incident." He added, "However, EPA is working closely with the State of Texas to offer any necessary assistance."
Mandiant's report, released on Wednesday, revealed connections between a GRU sabotage and spying unit called Sandworm and online infrastructure used by hackers under the alias "CyberArmyofRussia_Reborn." The report highlighted a YouTube channel believed to be operated by the GRU-sponsored unit.
Sandworm gained notoriety for launching cyberattacks that caused power outages in various parts of Ukraine in 2015 and 2016. The group has continued to target Ukrainian infrastructure with cyberattacks during the ongoing conflict.
Sandworm experts revealed that they use online personas to magnify the effects of their hacks.
On January 18, during the same day Sanchez, the city manager of Muleshoe, informed CNN about hackers breaching the town's industrial computer network, the CyberArmyofRussia_Reborn group uploaded a video on their Telegram social media channel. The video claimed to demonstrate the manipulation of Muleshoe's water valves.
According to Mandiant analyst Dan Black, the randomness is a deliberate tactic to create a strong psychological effect. Their goal is to appear more active than they actually are.
Editor's P/S:
The recent
