Full Report
Hackers got into the Minot water treatment plant computer system earlier this month, but city officials stressed the water stayed safe and the plant never stopped operating. City Manager Tom Joyce said staff discovered a ransomware note on a server at the water treatment plant the morning of March 14. The note said the sender…
Analysis Summary
# Incident Report: Minot Water Treatment Plant Ransomware Intrusion
## Executive Summary
In March 2026, threat actors gained unauthorized access to a server at the Minot water treatment plant and deployed a ransomware note. Despite the compromise of the server, city officials reported that water safety was never compromised and plant operations continued without interruption. The city chose not to engage with the attackers, and investigations are currently being led by the FBI.
## Incident Details
- **Discovery Date:** March 14, 2026
- **Incident Date:** Early March 2026
- **Affected Organization:** Minot Water Treatment Plant (City of Minot)
- **Sector:** Critical Infrastructure / Water and Wastewater Systems
- **Geography:** Minot, North Dakota, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to March 14, 2026
- **Vector:** Suspected firewall vulnerability or misconfiguration.
- **Details:** Attackers successfully navigated the network boundary to plant a note on a local server.
### Lateral Movement
- **Details:** Not explicitly disclosed in the report; however, the attacker claimed to have sufficient access to suggest the plant "tighten up your firewalls."
### Data Exfiltration/Impact
- **Details:** No evidence of data exfiltration was provided. The primary impact was the placement of a digital ransomware note on a mission-specific server.
### Detection & Response
- **How it was discovered:** Plant staff discovered the ransomware note on the morning of March 14.
- **Response actions taken:** City officials isolated the incident, verified the integrity of the water treatment process, and contacted federal law enforcement (FBI).
## Attack Methodology
- **Initial Access:** Misconfigured or weak firewall (suggested by the attacker's own note).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Not disclosed.
- **Lateral Movement:** Not disclosed.
- **Collection:** Not disclosed.
- **Exfiltration:** Not disclosed.
- **Impact:** Deployment of ransomware/extortion message; potential intended operational disruption (though ultimately unsuccessful).
## Impact Assessment
- **Financial:** No ransom paid; costs associated with remediation and forensic investigation were not disclosed.
- **Data Breach:** None reported.
- **Operational:** Low. The plant never stopped operating and water quality remained within safety standards.
- **Reputational:** Low to Moderate. Public notification was required to reassure citizens regarding water safety.
## Indicators of Compromise
- **Network indicators:** None provided in the public report.
- **File indicators:** Ransomware note (filename and hash not disclosed).
- **Behavioral indicators:** Unauthorized access to water treatment plant servers during non-operational hours.
## Response Actions
- **Containment measures:** Officials ensured the system was decoupled from critical safety controls to prevent manual or automated tampering with water levels.
- **Eradication steps:** The city management refrained from communicating with the sender.
- **Recovery actions:** Ongoing investigation by the FBI and internal IT staff to "tighten" network security.
## Lessons Learned
- **Key takeaways:** Critical infrastructure remains a primary target for ransomware actors, even if the primary goal is extortion rather than immediate sabotage.
- **What could have been done better:** The vulnerability implied by the "tighten up your firewalls" message suggests that proactive external vulnerability scanning may have identified the entry point before the threat actor did.
## Recommendations
- **Firewall Hardening:** Audit all firewall rules and close unnecessary ports, specifically those relating to Remote Desktop Protocol (RDP) or administrative interfaces.
- **Network Segmentation:** Ensure that Business/IT networks are strictly segmented from Operational Technology (OT) and Industrial Control Systems (ICS).
- **Multi-Factor Authentication (MFA):** Implement MFA on all remote access points and administrative accounts.
- **Incident Response Planning:** Continue the policy of non-engagement with ransomware actors while maintaining off-site, immutable backups.