Water and wastewater joint advisory identifies new ransomware attack

The FBI, CISA, the National Security Agency (NSA), and Environmental Protection Agency (EPA) published a joint advisory last month warning the water and wastewater sector of continued attacks against facilities that threaten their ability to deliver clean water to communities.

While the alert specifies that the respective agencies are not seeing greater targeting of water and wastewater compared to other critical infrastructure sectors, three previously unreported ransomware attacks against water plants in California, Maine, and Nevada were identified.

The facilities are not named in the advisory, but in each case, SCADA servers, systems, or backups were impacted. Some SCADA systems are built to be compatible with numerous operating systems, including Windows. Unpatched vulnerabilities in the Microsoft operating system are often targeted by attackers to either gain a foothold on critical systems, or for lateral movement across the network.

Ransomware operators have rapidly evolved in recent years beyond simply encrypting compromised systems and files, to much more extensive attacks that include lateral movement and the theft of sensitive business data. Some groups threaten to publicly leak stolen data unless a hefty ransom is paid. In general, ransomware groups are targeting larger targets much more likely to meet more lucrative demands.

SCADA Systems Impacted in New Ransomware Incidents

The recent joint advisory adds to the grim picture that owners and operators are facing with regards to ransomware. The unnamed California facility was the most recent to be victimized. Threat actors had access to the affected systems for a month, the advisory says, before a variant of the Ghost ransomware was discovered when three SCADA servers displayed a ransom note. Ghost is an older ransomware family that locks down systems and encrypts files. Decryptors are available for older variants.

A Maine facility was attacked in July. Attackers compromised a SCADA computer with the ZuCaNo ransomware, the advisory said, forcing the facility to operate its treatment systems manually until the SCADA system was restored. ZuCaNo is a relatively new strain of ransomware that encrypts files and appends the extension .zucano to compromised files.

In March, one month after the Oldsmar, Fla., incident, a Nevada facility was attacked. The advisory does not name the ransomware used in the attack, but said it did affect the victim’s SCADA system and backup systems. Backups are a key recovery strategy for ransomware victims, but they must be segmented from critical systems or kept offline. Many ransomware strains seek out specifically to encrypt system backups. The advisory said that the affected Nevada SCADA system was not a full industrial control system, instead it was used for visibility and monitoring.

Two older attacks are also revealed in the advisory: a September 2020 attack against a New Jersey facility involving Makop ransomware, which encrypted files; and a March 2019 incident at a Kansas facility when a former employee whose credentials had not been revoked, attempted to remotely access a facility and tamper with drinking water.

The advisory warns defenders to be vigilant against spearphishing attacks, targeting of outdated operating systems and software, and exploitation of control systems running vulnerable firmware.

Spearphishing is an effective means of gaining initial access to IT networks. Organizations where IT and OT systems are integrated may expose industrial systems, including those with oversight over field devices and processes, to attackers. Successful access via spearphishing may also expose existing Remote Desktop Protocol (RDP) sessions used for remote maintenance of process control systems to attackers.

Claroty’s Biannual ICS Risk & Vulnerability Report: 1H 2021 illustrates the current OT vulnerability landscape. Legacy software and firmware permeates industrial networks and devices, and vulnerabilities in these systems may be difficult to mitigate, therefore leaving a lengthy window of opportunity for attackers to take advantage of. Claroty’s report points out the particular challenges associated with updating firmware, which has longer development, distribution, and update cycles.

Mitigations

The need for OT asset visibility and controls around remote access to industrial facilities has never been greater, and the joint advisory for water and wastewater management reinforces this notion. The challenge, however, for many water and wastewater facilities is that they are generally smaller community systems, not only the number of constituents they serve, but also the size of IT and OT, staff and their relative expertise. There are a number of stark realities that affect their respective abilities to defend networks from intruders, starting with a lack of funding, gaps in cybersecurity expertise, and prioritization of infrastructure improvements to maintain clean water and services.

Nonetheless, the FBI, CISA, EPA, and NSA recommend extensive monitoring of water and wastewater systems, and recommend vigilance over numerous indicators, including: loss of access to SCADA system controls, unfamiliar system alerts, abnormal operating parameters detected by a SCADA system (e.g., elevated chemical levels), unauthorized access to SCADA systems, abnormal parameter values, or unexplained SCADA system restarts.

The advisory also cautions against remote attacks, exacerbated by new remote connections and services due to the COVID-19 pandemic. The agencies recommend, for example, that remote access solutions enable logging and that logs are regularly audited for unauthorized access. Limits on the resources that can be accessed remotely should be in place, and that network ports that are unnecessary for remote access be closed. Multifactor authentication is also recommended, especially for remote access to the OT network, including from the organization’s IT network as well as from outside the enterprise.

Additional mitigation measures are explained in the advisory, including network segmentation and the development of network maps that give operators full visibility into network assets.