Hackers targeted US drinking water and wastewater facilities as recently as August, Homeland Security says

·4 min read

WASHINGTON – The nation's top civilian cybersecurity agency issued a warning Thursday about ongoing cyber threats to the U.S. drinking water supply, saying malicious hackers are targeting government water and wastewater treatment systems.

Authorities said they wanted to highlight ongoing malicious cyber activity “by both known and unknown actors” targeting the technology and information systems that provide clean, drinkable water and treat the billions of gallons of wastewater created in the U.S. every year.

The alert, which disclosed three previously unreported ransomware attacks on water treatment facilities, was issued by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA). It was the result of analytic efforts by DHS, the FBI, the Environmental Protection Agency and the National Security Agency.

One DHS cybersecurity official described it as the routine sharing of technical information between federal agencies and their industry partners “to help collectively reduce the risk to critical infrastructure in the United States.” Added a second Homeland Security official: “It’s not any indication of a new threat. We don’t want anyone to think that their drinking water supply is under attack.”

Both officials spoke on the condition of anonymity in order to elaborate on the agency’s public statements.

Despite their assurances, the advisory disclosed that in March 2019, a former employee at a Kansas-based water and waste water treatment facility unsuccessfully tried to threaten drinking water safety by logging in with his user credentials – which had not been revoked at the time of his resignation – to remotely access a facility computer.

In that case, a federal grand jury in Topeka, Kansas accused Wyatt Travnichek, 22, of tampering with the water treatment facilities for the sprawling, eight-county Post Rock Rural Water District.

The indictment, announced March 31, alleges that Travnichek's job for the utility was to monitor the water plant remotely by logging into its computer system. Two months after he left his job with the water district in January 2019, it said, Travnichek logged in remotely with the intent of shutting shut down the facility’s cleaning and disinfecting procedures.

“By illegally tampering with a public drinking water system, the defendant threatened the safety and health of an entire community,” said Lance Ehrig, special agent in charge of the EPA's criminal investigation division in Kansas. The federal indictment says Travnichek used a Samsung phone to commit the offense.

The advisory also includes bare-bones details of four other unauthorized intrusions between 2019 and August 2021 in California, Maine, Nevada and New Jersey. All of them were ransomware attempts, or efforts to shut down water and wastewater systems in an effort to get a payout in order to put the systems back online, it said, without providing specifics.

The advisory comes several days after Homeland Security Secretary Alejandro Mayorkas and senior DHS cybersecurity officials told USA TODAY that they were concerned about the possibility of a deliberate cyberattack on a water treatment plant or other critical facility that could result in serious injuries or even death.

The DHS officials and cybersecurity experts cited the case of an Oldsmar, Florida water treatment plant that was penetrated in February by hackers trying to alter the chemicals used to treat the municipal water supply.

Mayorkas told the USA TODAY Editorial Board that he was especially troubled by the Oldsmar incident because “that attack was not for financial gain but rather purely to do harm … and that should have gripped our entire country.”

Wam Voster, senior research director at the security firm Gartner, warned that the attack on the Oldsmar water treatment facility “shows that security attacks on operational technology are not just made up in Hollywood anymore.” He described the relatively new and growing phenomenon as "killware,” or cyberattacks that can literally end lives.

Thursday's advisory did not disclose whether any of the four ransomware attempts resulted in payouts to hackers – or if any of them resulted in significant damage or any physical harm. The DHS cybersecurity official referred questions about that to an FBI official who could not be reached for comment.

In September 2020, workers at a New Jersey water and wastewater facility discovered that potential ransomware had compromised some of their system files, the advisory said. Six months later cyber actors used an unknown ransomware variant to disable a monitoring system – and its backup – at a facility in Nevada.

In July 2021, hackers used remote access to introduce ransomware onto a Maine facility’s wastewater operations computer. The treatment system was run manually until workers used local control of the system to get it back online. And the next month, a ransomware attack on a California facility was discovered when computer servers displayed a ransomware message. The malware had been in the system for about a month.

The agencies provided a long list of things that owners and operators can to do stop attacks on their systems and to minimize the damage if and when it occurs – including those overseeing Department of Defense water treatment facilities here and overseas. One recommendation: making sure their emergency response plans consider the full range of potential impacts of cyberattacks, including total shutdowns, loss of control of their operating systems, theft or destruction of internal data – and threats to human safety.

Follow domestic security correspondent Josh Meyer on Twitter @JoshMeyerDC and see his other reports:

This article originally appeared on USA TODAY: Hackers targeting US water facilities hit California, Maine in 2021