Cyber hackers found their way to a water treatment facility in Florida and gained access to the internal ICS platform which led to the change in the chemical levels and thereby making the water risky to consume.
Security researchers found that the credentials for the Oldsmar water treatment facility in the huge set of data from the hacks posted just days before the attack.
They also said that they have found the leaked credentials of the Florida Treatment Plant that was hacked before.
They discovered 11 pair of credentials which was linked to the Oldsmar water plant which was stolen back in 2017 and also found 13 other pair of credentials in the more recent breaches.
This collection of data was leaked on the Raid Forums English-language cyber-crime community on Feb 2, 2021 which contained 3.27 billion staggering combinations of email addresses and passwords stored in a database.
But still the investigation officers have not found any link between the attack and the credentials discovered from the database.
The happening
The cyber-attack on the Oldsmar water treatment facility took place on February 5, 2021 when the hacker took control of the access to the system so as to change the level of sodium hydroxide, also known as lye, in the water from 100 parts per million to 11,100 parts per million.
The change in the lye content was immediately discovered by the plant operator who mitigated the risk by changing the level back, before the attack caused a severe impact to the system.
As per a Marsa Chrisetts security researcher, the hacker got access to the SCADA controls of the water treatment plant through ‘Team Viewer’ that helps to remotely access the software.
Team Viewer was installed by the officials of the water treatment plant in order to check the system status and react to alarms and other alerts that happen during the water treatment process.
Every system in the plant was connected to SCADA system and used 32-bit windows 7 version of operating system. All the systems shared the same passwords for the easy access and they were directly connected to the internet without any Firewall protection.
According to the reports, the hackers may have used the credentials gained from the 2017 breach compilation or COMB in thee hack.
The Plan
The attack was performed in multiple stages. The first stage was espionage and reconnaissance that was done with the help of ICS systems and having good knowledge about what are the domains used for emails, who controls it and whether they can be accepted as login usernames.
The second stage included Credential stuffing attack that provided the hackers with remote access to the systems and created automated scripts that stole the IDs and passwords of different accounts until a match is found.
Even after days of investigation, the officials could not exactly find who was behind the attack, where were they located and what was their motive.
Understanding the attack strategy
Credential stuffing attack is the technique which is used to inject malicious usernames and passwords in order to fraudulently gain the access of a user’s account. This is an advanced form of Brute force attack where the spilled credentials are injected into the websites until they match with an existing account, which the hacker can use for their own purpose.
Anatomy
- The hacker gains spilled username and passwords from a dump site.
- The attacker seeks the help of account checker to verify the stolen credentials against several websites.
- With a successful login, the attacker takes over the account that matches the stolen credentials.
- The attacker steals credit card numbers and other Personal Identifying Information’s.
- He may also use the information for any other nefarious purposes.
Defence mechanism
- Multi-factor authentication
- Secondary passwords, PINs and security questions.
- CAPTCHA
- IP Blacklisting
- Device Fingerprinting
- Use of a strong anti-virus protection software or Firewall.