On Feb. 5, an unidentified hacker broke into the computer system of a water treatment plant in the Florida town of Oldsmar and temporarily changed the plant’s sodium hydroxide setting to a potentially dangerous level, according to local officials. It turns out that hacker wasn’t alone on the network.
While law enforcement officials still haven’t publicly identified the perpetrator of the well-publicized hack, industrial security firm Dragos on Tuesday revealed a separate suspected intrusion that same day of one of the Oldsmar Water Treatment Facility’s computers. Dragos has tied the malicious code to a botnet, or horde of infected computers used by spammers, whose code scanned the computers of local water utilities in Florida in recent months.
There is no connection between the incidents — whoever tampered with the Oldsmar facility’s chemical settings is not involved in the botnet — but the revelation shows how two very different types of hackers can be on the same network simultaneously, with the victim none the wiser.
The exposure of the Oldsmar plant’s computer to the botnet began that February morning when a plant employee visited the website of a Florida water infrastructure firm that was infected with malicious code, according to Dragos. Analysts found that, over the course of two months starting in December, over 1,000 computers belonging to municipal water utilities, employees of state and local government agencies and others visited the infected website.
“While the activity appears targeted to the water sector and is malicious it’s nothing impactful and can be considered high-level reconnaissance,” Dragos CEO Robert M. Lee told CyberScoop. “Dozens of other water companies … have been profiled by the malicious actor.” Lee said his firm went public with its findings to remind people why intelligence analysts shouldn’t jump to early conclusions based on incomplete data.
Dragos traced the malicious code to another website that they said was used to communicate with a years-old botnet known as Tofsee. The botnet is known for sending large volumes of spam to users of dating websites in order to generate cryptocurrency. Dragos analysts suspect that the hackers infected the water infrastructure firm’s website to collect user data and fine-tune the malicious software used by the botnet.
As for the attempt to tamper with the Oldsmar water supply, a plant operator reversed the change made by the hacker to the water solution before it entered Oldsmar’s drinking supply. But the incident has prompted scrutiny by U.S. lawmakers as well as calls from security experts for more cybersecurity resources for a cash-strapped water sector.