Infecting water supplies by hacking water utilities have long been a goal of Islamic terrorists. And despite the fact that the terrorists seem to be making inroads toward their goal, DHS is not warning Americans to the threat.
The UK Register reported that a “hacktivist” group with ties to Syria and ISIS infiltrated an American water utility’s control system and was temporarily able to change the levels of chemicals used to treat tap water. The location of the utility has not been revealed and its name has been changed in a report issued by Verizon. It appears that little to no damage occurred and the water treatment was corrected.
The hacktivists compromised water utilty computers “by exploiting unpatched web vulnerabilities in its internet-facing customer payment portal,” Verizon’s RISK report states. It also reports that this isn’t the first time hacktivists have attacked targeted utilities.
Reports that hackers have breached water treatment plants are rare but not unprecedented. For example, computer screenshots posted online back in November 2011 purported to show the user interface used to monitor and control equipment at the Water and Sewer Department for the City of South Houston, Texas by hackers who claimed to control its systems. The claim followed attempts by the US Department of Homeland Security to dismiss a separate water utility hack claim days earlier.
More recently hackers caused “serious damage” after breaching a German steel mill and wrecking one of its blast furnaces, according to a German government agency. Hackers got into production systems after tricking victims with spear phishing emails, said the agency.
Spear phishing also seems to have played a role in attacks lining the BlackEnergy malware against power utilities in the Ukraine and other targets last December. The malware was used to steal user credentials as part of a complex attack that resulted in power outages that ultimately left more than 200,000 people temporarily without power on 23 December.
Fortunately, this time, the hacktivists unsuccessfully manipulated the valves that control the flow of chemicals– twice– because they didn’t know how to correctly use the SCADA systems, or they didn’t intent to cause any harm.
Incidents such as the ones described above are not new. As far back as 2002, the FBI arrested the Ujaama brothers. Tied to the Taliban the brothers were carrying plans about how to poison water supplies.
In 2013, seven Muslim “chemical engineers” were caught trespassing at a key supply of water for Boston, after midnight. And a few weeks later the water authorities noticed that some of the padlocks were cut keeping people out of the aqueducts carrying water to Boston.
The incident occurred at the Hultman Aqueduct, which is one of the two lines that carry drinking water to the Greater Boston area.
The three padlocks were cut from separate access hatches located at approximately half-mile intervals along the aqueduct. Police say there is evidence of an attempt to cut a fourth lock.
State Police are investigating, though they say “there is no evidence of any crime other than vandalism.”
The MWRA says it doesn’t appear anyone tried to tamper with the water supply and there does not appear to be any contamination or changes in water quality.
In January 2014, 26-year-old Asef Mohamed broke into the plant that treats and pumps water for the township of Manalapan, New Jersey. “This was a person that purposely climbed a six-foot fence with three or four layers of barbed wire on top”
The UK Register also reported, in depth, of a similar security breach that occurred in Illinois based on disclosed contents of a November 10 report provided by an industrial control systems security expert, Joe Weiss, from the Illinois Statewide Terrorism and Intelligence Center. The report indicates that “attackers destroyed a pump belonging to a regional water utility in that state by hackers who gained access to supervisory control and data acquisition systems that manage the utility’s machinery. That report remains unconfirmed, although the DHS spokesman said officials from his agency and the FBI are investigating.”
However, if they didn’t mean to cause any harm, why did they have a need to “hack” the system?
Not only is is disturbing that the Department of Homeland Security been unable to prevent these types of attacks, but it is disturbing that we aren’t being warned of this trend or the fact that the people being arrested just “happen” to be connected to radical Islam.