An advisory published by several federal agencies offered new insights on how an attacker might have accessed a system that allowed them to potentially contaminate Oldsmar’s water supply.
The advisory detailed an unnamed water supply agency that was hit by a cyberattack, the attack date and details of which match what was publicly disclosed about the Oldsmar incident. It was authored by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, the U.S. Environmental Protection Agency and the Multi-State Information Sharing & Analysis Center.
Earlier this month, an attacker significantly increased levels of lye in the Oldsmar water treatment system remotely. An employee realized the attack was happening when their mouse began moving across the screen. The attack was quickly reversed. While the lye likely wouldn’t have been enough to kill any of the 15,000 customers the water system serves, the damage a more sophisticated attacker might have done with the same access could have been much worse, experts said.
At the time of the attack, Pinellas County Sheriff Bob Gualtieri said the intrusion likely happened through software called TeamViewer, which is used for remote access.
The federal advisory offered two other possible ways the attacker accessed the system: “poor password security” and outdated Windows software.
While the advisory did not explicitly say that Oldsmar’s systems were run on Windows 7 operating software, it said that version of Windows software is particularly susceptible to attack. Microsoft stopped providing updates for that version, which was originally launched in 2009, at the beginning of last year.
“Continuing to use any operating system within an enterprise beyond the end of life status may provide cyber criminals access into computer systems,” the advisory said.
Reached by phone, a spokeswoman for Oldsmar’s mayor’s office declined to comment.
TeamViewer is software used to share files, screens and log into a machine from afar. The advisory said that while TeamViewer is “a legitimate popular tool,” it has been targeted by attackers previously, and remote access software like it could be used by disgruntled employees to retaliate against their employers.
Other critical infrastructure agencies have also been attacked through remote access software, it said.
The agencies recommended what experts the Tampa Bay Times spoke with previously also suggested: Agencies should update their software to more recent versions, use multi-factor authentication to make it more difficult for an attacker to log in even if they have a password, monitor their systems for possible attacks and monitor logs of who is using any remote access software.