Full Report
An attacker breached a water treatment facility, adding a lethal injection of Sodium Hydroxide.
Analysis Summary
# Incident Report: Attempted Water Supply Poisoning via Remote Access
## Executive Summary
An unknown attacker gained remote access to the Oldsmar, Florida, water treatment facility using the legitimate remote access software TeamViewer. The attacker manipulated settings to increase the level of lye (Sodium Hydroxide) in the water supply with the intent to poison the supply serving approximately 15,000 residents. The malicious action was quickly noticed and reversed by a staff member, resulting in minimal, if any, impact on the public water supply.
## Incident Details
- Discovery Date: February 9, 2021 (Date incident was reported/occurred)
- Incident Date: February 9, 2021
- Affected Organization: Water treatment plant serving the town of Oldsmar, Florida
- Sector: Public Utilities / Water Treatment
- Geography: Oldsmar, Florida, USA
## Timeline of Events
### Initial Access
- **Date/Time:** February 9, 2021 (Implied occurrence)
- **Vector:** Compromised or leveraged credentials for the TeamViewer remote access solution.
- **Details:** A staff member observed a remote access window pop up from TeamViewer. They initially presumed it to be legitimate use of the installed remote access tool.
### Lateral Movement
- **Details:** Not explicitly detailed, but the attacker immediately gained control to manipulate facility settings from the remote access session.
### Data Exfiltration/Impact
- **Details:** The attacker manipulated settings to increase the dosage of lye (Sodium Hydroxide) to dangerous levels, posing a lethal risk if consumed. The goal was direct physical impact on the public water supply serving 15,000 residents.
### Detection & Response
- **Detection:** A staff member physically monitoring the software observed the unauthorized cursor opening programs and changing settings.
- **Response Actions:** The water treatment facility quickly reverted the malicious changes, minimizing the introduction of harmful chemicals. The Sheriff's office, FBI, and Secret Service were contacted to assist with the investigation.
## Attack Methodology
- **Initial Access:** Unauthorized remote control via the **TeamViewer** application. The presence of the software was known, but its access was exploited.
- **Persistence:** Not clearly detailed, but access was maintained for the duration required to execute the manipulation.
- **Privilege Escalation:** Not explicitly detailed; the established remote access likely had the necessary permissions to alter SCADA/process control settings.
- **Defense Evasion:** Exploiting a legitimate, trusted remote access tool (TeamViewer) likely helped the attacker blend in initially.
- **Credential Access:** Unspecified, but gaining access implies credentials for the TeamViewer session were compromised or weak.
- **Discovery:** Unspecified, though manipulating process controls suggests prior knowledge of the facility's system layout.
- **Lateral Movement:** Not detailed beyond the initial remote access to the control system.
- **Collection:** N/A (The intent was modification/destruction, not data theft).
- **Exfiltration:** N/A
- **Impact:** Direct attempted modification of a critical public utility’s chemical dosing to poison the water supply.
## Impact Assessment
- **Financial:** Not disclosed, but likely included the cost of investigation and system auditing.
- **Data Breach:** No evidence of data exfiltration; impact was physical/operational sabotage.
- **Operational:** Temporary disruption while malicious setting changes were identified and corrected. The facility successfully maintained control.
- **Reputational:** Potential reputational damage due to the nature of the attack (attempted poisoning), though swift reversal mitigated long-term public trust erosion.
## Indicators of Compromise
*Note: Since this was a known, authorized application (TeamViewer) being misused, specific IOCs are limited without further investigation data.*
- **Network indicators:** Connection originating via known TeamViewer infrastructure used to establish a session with the facility's network.
- **File indicators:** N/A
- **Behavioral indicators:** Unauthorized manipulation of Sodium Hydroxide (lye) dosing software settings.
## Response Actions
- **Containment measures:** Rapid manual reversal of the chemical dosing levels by the monitoring staff.
- **Eradication steps:** Unspecified, but likely included isolating or securing the compromised TeamViewer endpoint and auditing access credentials.
- **Recovery actions:** Verification that chemical levels returned to safe, normal operating parameters.
## Lessons Learned
- While legitimate remote access tools are necessary, they represent a significant operational risk if not properly secured and monitored.
- The incident highlights the danger of industrial control systems (ICS) being accessible via commercially available, general-purpose remote access software.
- Constant, active monitoring of control systems is crucial, as a staff member's vigilance prevented a catastrophe.
## Recommendations
- Implement strict **Least Privilege Access** for all remote access solutions into Operational Technology (OT) environments.
- **Isolate or tightly restrict** remote access tools like TeamViewer to only necessary jump boxes or hardened administrative workstations, rather than directly on process control servers.
- Enforce **Multi-Factor Authentication (MFA)** on all remote access services, even those used internally.
- Enhance logging and **real-time alerts** for critical configuration changes within SCADA or chemical dosing systems.