The cyber intruder entered Oldsmar’s water treatment system twice on Friday (at 8 a.m. and 1:30 p.m.) through inactive software called TeamViewer. The software had not been used for about six months, but it was still on the system.
“How they came in, whether through a password or something, I can’t say,” Gualtieri said.
However, Felicia Donnelly, a city assistant, told CNN that a password was needed to remotely control the system.
Once inside, the hacker adjusted the level of sodium or bleach hydroxide to more than 100 times its normal levels, Gualtieri said. The system operator noticed the intrusion and immediately reduced the level. At no time did there be a significant adverse effect on the city’s water supply and the public was never in danger, he said.
The identity of the hacker or hackers is not yet known.
“No one knows anything, so the discussions that are taking place are pure speculation right now,” Gualtieri said.
Gualtieri praised the operator who witnessed the attack on Friday and said current and former employees have been interviewed after first considering a privileged threat. There are currently no suspicions or indications that this is the case, he said.
Questions about hack sophistication
Robert M. Lee, the CEO of Dragos Inc., an industrial cybersecurity company, said this type of attack is precisely what keeps industry experts awake at night.
“It wasn’t particularly sophisticated, but it’s exactly what worries people, and as one of the few examples of someone trying to hurt people, it’s a big deal for that reason,” Lee said.
However, Gualtieri rejected speculation that the attack was unsophisticated.
“It could be that someone compromised the password in some way and the password was unknown. Or it could be quite sophisticated if you have someone doing what hacker hackers do: look for possible vulnerabilities there all the time and administrator credentials “said.
Gualtieri said the potential danger of an attack like this should spark a discussion about remote access to the software, adding that he had never seen an attack like this.
“This is a new one for us,” the sheriff said.
Israel contacts US researchers
Gualtieri said the county coordinates with the FBI and the U.S. Secret Service, but the county takes the lead in the investigation through an in-house lab for forensic analysis of the attack.
Asked why the secret service is involved, Gualtieri pointed to his work on computer fraud and agreed that Sunday’s Super Bowl in Tampa “is sure to have something to do with it,” as the attack happened Friday. The attack was reported to the FBI The joint task force on terrorism, of which the secret service is a part, “was involved at the time.”
Sen. Marco Rubio of Florida said Monday he wants the hacking to be treated as a national security measure.
Israel’s National Cyber Directorate (NCD), the government cybersecurity agency, said Wednesday it had contacted its U.S. counterparts investigating the Oldsmar hack.
“The Israel National Cyber Directorate has contacted its U.S. counterparts about the case (in Oldsmar, FL) as part of the standard and accepted exchange of information in the cyber field, which it aims to learn from other cases in the world and increase methods of resistance, “the institution said in a statement.
Last April, Israeli water facilities were the target of an attack that NCD chief Yigal Unna described as a “changing point in the history of modern cyber warfare.” He said the facilities were aimed at a “synchronized and organized attack on our water systems.”
If the attack had been successful, Unna said, it could have caused significant damage to civilian water supplies. It also seemed to suggest that piracy was directing the flow of chlorine to water treatment units, which could have been detrimental to public health.
In his May 2020 presentation at an online CyberTech conference, the head of the NCD did not say who he believed was behind the attack on Israel, but noted that he had not been accompanied by the type of demands from rescue or attempts to win financially that would be expected if it had been carried out by cybercriminals.