In February of 2021, a U.S. water treatment facility was the target of a cyber-attack in which the attackers changed the chemical additive mix to the water treatment process. Fortunately, the operators quickly recognized the problem and adjusted the process to normal.  An investigation by Federal and State investigators (FBI, CISA, EPA and MS-ISAC) revealed that the cyber actors gained control through older, unsupported, versions of desktop sharing software and the operation system (TeamViewer and Windows 7).

Some of the particulars of this case:

“The unidentified cyber actors used the SCADA system’s software to increase the amount of sodium hydroxide, also known as lye, a caustic chemical, as part of the water treatment process.”

“The cyber actors likely accessed the system by exploiting cyber-security weaknesses, including poor password security, and an outdated operating system. Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system.”

“Desktop sharing software, which has multiple legitimate uses—such as enabling telework, remote technical support, and file transfers—can also be exploited through malicious actors’ use of social engineering tactics and other illicit measures.”

“Windows 7 will become more susceptible to exploitation due to lack of security updates and the discovery of new vulnerabilities. Microsoft and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system. Continuing to use any operating system within an enterprise beyond the end of life status may provide cyber criminals access into computer systems.”

Desktop sharing software is vulnerable to cyber-attack and in addition to adjusting operations the cyber actors can:

• Use access granted by desktop sharing software to perform fraudulent wire transfers
• Inject malicious code
• Move laterally across a network to increase the scope of activity.

The cyber security community suggests the following mitigating factors to prevent cyber-attacks:

• Update to the latest version of the operating system (e.g., Windows 10).
• Use multiple-factor authentication.
• Use strong passwords to protect Remote Desktop Protocol (RDP).
• Ensure that anti-virus, spam filters, and firewalls are up to date, properly configured and secure.
• Audit network configurations and isolate computer systems that cannot be updated.
• Audit your network for systems using RDP, closing unused RDP ports, applying multiple-factor authentication wherever possible, and logging RDP login attempts.
• Audit Logs for all remote connection protocols.
• Train users to identify and report attempts at social engineering
• Identify and suspend access of users exhibiting unusual activity.

ATL was one of the first 100 Microsoft Gold Partners (since 1985) and continuously monitors the service packs and versions of Windows to ensure that there are no disruptions in ATL software and data security. As modifications to computer operating systems (OS) continue to be modified with newer versions, it is of vital importance that your laboratory’s LIMS and supporting OS stay current with the latest upgrades and versions. For ATL clients using a Cloud deployment, ATL continues to partner with a Tier 3/SSAE16/ISO 27001 certified data center. It is the responsibility of ATL and its Cloud partners to ensure that the LIMS and client data are not compromised. ATL also engages third-party security experts to regularly test the security measures that have been deployed.

ATL will continue to monitor these types of events and continue to work closely with Microsoft and our third-party security partners to ensure the safety of our products and services.

Reference: Joint Cyber Security Advisory. February 11, 2021. Product A21-042A.

What is your reaction to news of this cyber-attack? Let us know in the comments.