Full Report
An attacker breached a water treatment facility, adding a lethal injection of Sodium Hydroxide.
Analysis Summary
# Incident Report: Water Treatment Facility Poisoning Attempt via Remote Access
## Executive Summary
An attacker successfully gained remote access to a water treatment facility serving Oldsmar, Florida, and attempted to maliciously increase the concentration of Sodium Hydroxide (lye) in the public water supply. The intrusion was detected in real-time by a vigilant staff member who immediately reverted the changes, preventing the lethal chemical dose from reaching residents. Federal law enforcement agencies were engaged to investigate the deliberate act against critical infrastructure.
## Incident Details
- Discovery Date: February 9, 2021 (Implied, as the event was reported then)
- Incident Date: February 9, 2021
- Affected Organization: Water treatment plant serving Oldsmar, Florida
- Sector: Utilities (Water Treatment)
- Geography: Oldsmar, Florida, USA
## Timeline of Events
### Initial Access
- Date/Time: February 9, 2021 (Time of event)
- Vector: Exploitation of legitimate remote access software.
- Details: A pop-up window alerted a staff member that the targeted computer was being accessed remotely. The attacker successfully used the TeamViewer application, which was installed for legitimate remote access purposes, to gain entry.
### Lateral Movement
- Unknown, but implied movement to control the chemical dosing system settings.
### Data Exfiltration/Impact
- **Impact:** Attempted manipulation of chemical levels, specifically increasing the dosage of Sodium Hydroxide (lye) to a potentially lethal level in the water supply.
- **Exfiltration:** None reported.
### Detection & Response
- **Detection:** Real-time visual observation by an on-site staff member who noticed the remote cursor manipulating system settings.
- **Response:** The staff member immediately reverted the malicious actions before any harmful quantity of Sodium Hydroxide entered the supply. The Sheriff's office, FBI, and Secret Service were subsequently contacted.
## Attack Methodology
- **Initial Access:** Exploitation of a legitimate, pre-installed remote desktop application (**TeamViewer**).
- **Persistence:** Not fully detailed, but access was established and maintained long enough to issue commands.
- **Privilege Escalation:** Not detailed, but the attacker achieved the necessary permissions to alter chemical control settings.
- **Defense Evasion:** Attackers likely relied on the legitimate use of the TeamViewer application to avoid immediate network intrusion alarms.
- **Credential Access:** Not detailed (Could have been compromised credentials or system configured for easy RDP/remote access entry, though TeamViewer was the visible access tool).
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown, focused on reaching the SCADA/control interface.
- **Collection:** Targeting of relevant application settings related to chemical treatment.
- **Exfiltration:** None apparent.
- **Impact:** Physical sabotage/manipulation of a critical operational process (chemical dosing).
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** None reported.
- **Operational:** Minimal. The attack was reversed quickly, and the public water supply was confirmed safe and unaffected.
- **Reputational:** Significant media attention due to the severity of the intended harm (attempted poisoning of a public utility).
## Indicators of Compromise
* **Network Indicators (Defanged):** Access originating via connections authenticated through the legitimate **TeamViewer** software.
* **File Indicators:** None explicitly listed.
* **Behavioral Indicators:** Unsolicited remote session initiation followed by immediate manipulation of control system software/settings, specifically those governing chemical additive levels.
## Response Actions
- **Containment:** Immediate manual correction of the chemical injection levels by the on-site operator.
- **Eradication:** Implied investigation and securing of the compromised workstation/remote access configuration.
- **Recovery:** Verification that all chemical parameters returned to safe operational limits; confirmed public safety.
## Lessons Learned
- **Remote Access Risk:** Over-reliance on or insufficient security layering around remote access tools (like TeamViewer) can provide a direct conduit into Operational Technology (OT) environments.
- **The Human Factor:** The quick intervention by the staff member was critical in preventing a catastrophe.
- **Visibility:** Malicious activity executed through legitimate software can be transparent to standard network monitoring if not specifically looking for authorized remote software performing unauthorized actions.
## Recommendations
- Implement robust Multi-Factor Authentication (MFA) on all remote access tools, especially those connecting to critical infrastructure networks.
- Strictly segment and monitor OT networks. Any access to SCADA systems should only be permitted through hardened jump servers with granular monitoring and specific process whitelisting.
- Review and restrict the necessary permissions for remote access software installed on control system workstations; do not allow generalized remote control if only certain configuration changes are required.
- Ensure security awareness training specifically addresses unexpected remote login prompts, emphasizing that legitimate software can be abused.