The cyber intruder entered Oldsmar’s water treatment system twice on Friday – at 8:00 am and 1:30 pm – through inactive software called TeamViewer. The software had not been used for about six months, but it was still in the system.
“As they entered, whether through a password or something else, I can’t say that,” said Gualtieri.
However, Oldsmar’s assistant municipal manager, Felicia Donnelly, told CNN that a password was required for the system to be controlled remotely.
Once inside, the hacker adjusted the level of sodium hydroxide, or lye, to more than 100 times normal levels, said Gualtieri. The system operator noticed the intrusion and immediately reduced the level back. At no time has there been a significant adverse effect on the city’s water supply and the public has never been in danger, he said.
The identity of the hacker, or hackers, is not yet known.
“Nobody knows anything, so the discussions that are taking place are pure speculation right now,” said Gualtieri.
Gualtieri praised the operator who detected the attack on Friday and said employees and former employees were interviewed after considering an internal threat. There is currently no suspicion or evidence that this is the case, he said.
Questions about hack sophistication
Robert M. Lee, the CEO of Dragos Inc., an industrial cyber security company, said that this type of attack is precisely what keeps industry experts awake at night.
“It wasn’t particularly sophisticated, but that’s exactly what people care about, and as one of the few examples of someone trying to hurt people, it’s a big problem for that reason,” said Lee.
However, Gualtieri rejected speculation that the attack was unsophisticated.
“It may be that someone has somehow compromised the password and the password has been leaked. Or it may be quite sophisticated, where you have someone who is doing what intrusion hackers do: looking all the time for potential vulnerabilities and administrator credentials. “, he said.
Gualtieri said the potential danger of an attack like this should lead to a discussion about remote access to the software, adding that he never saw an attack like this.
“This is a new one for us,” said the sheriff.
Israel reaches out to US investigators
Gualtieri said the county is coordinating with the FBI and the US Secret Service, but the county is taking the lead in the investigation, using an in-house laboratory for the forensic analysis of the attack.
Asked why the Secret Service was involved, Gualtieri pointed to his work on computer fraud and agreed that Sunday’s Super Bowl in Tampa “certainly has something to do with it” since the attack happened on Friday. The attack was reported to the FBI Joint Terrorism Task Force, of which the Secret Service is a member, “so they were involved at that point.”
Senator Marco Rubio of Florida said on Monday that he wants the invasion to be treated as a national security measure.
Israel’s National Cyber Directorate (NCD), the government cybersecurity agency, said on Wednesday that it had contacted colleagues in the United States investigating the Oldsmar hack.
“Israel’s National Cyber Directory has contacted its US counterparts about the case (in Oldsmar, FL) as part of the standard and accepted information sharing in the cyber field, which is intended to learn from other cases in the world and increase methods of resistance “the institution said in a statement.
Last April, Israeli water facilities were the target of an attack that NCD chief Yigal Unna described as a “turning point in the history of modern cyber war”. He said the facility was the target of a “synchronized and organized attack on our water systems”.
If the attack had been successful, Unna said, it could have caused significant damage to civilians’ water supplies. He also suggested that the hack targeted the flow of chlorine in water treatment units, which could be harmful to public health.
In his presentation in May 2020 at an online CyberTech conference, the head of the NCD did not say who he believed was behind the attack in Israel, but noted that he had not been accompanied by the type of bailout or attempted financial gain that would be expected if it had been executed by cyber criminals.