The cyber-intruder got into Oldsmar’s water treatment system twice on Friday — at 8 a.m. and 1:30 p.m. — through a dormant software called TeamViewer. The software hadn’t been used in about six months but was still on the system.
“How they got in, whether it was through a password or through something else, I can’t tell you that,” said Gualtieri.
However, Oldsmar’s assistant city manager, Felicia Donnelly, told CNN that a password was required for the system to be controlled remotely.
Once inside, the hacker adjusted the level of sodium hydroxide, or lye, to more than 100 times its normal levels, Gualtieri said. The system’s operator noticed the intrusion and immediately reduced the level back. At no time was there a significant adverse effect to the city’s water supply, and the public was never in danger, he said.
The identity of the hacker, or hackers, isn’t yet known.
“Nobody knows anything so any discussions that are being had are pure speculation at this point,” Gualtieri said.
Gualtieri praised the operator who spotted the attack on Friday and said current and former employees have been interviewed after early consideration of an insider threat. There are currently no suspicions or indications that’s the case, he said.
Questions on sophistication of hack
Robert M. Lee, the CEO of Dragos Inc., an industrial cybersecurity company, said this type of attack is precisely what keeps industry experts awake at night.
“It was not particularly sophisticated, but it’s exactly what folks worry about, and as one of a very few examples of someone making an attempt to hurt people, it’s a big deal for that reason,” Lee said.
However, Gualtieri rejected speculation that the attack wasn’t sophisticated.
“It could be that somebody somehow compromised the password and the password got out. Or it could be pretty sophisticated where you’ve got somebody who’s doing what intrusion hackers do: looking out there all the time for potential vulnerabilities and administrator credentials,” he said.
Gualtieri said the potential danger of an attack like this should prompt a discussion about remote access to software, adding that he’d never seen an attack like this.
“This is a new one for us,” the sheriff said.
Israel reaches out to US investigators
Gualtieri said the county is coordinating with the FBI and US Secret Service, but the county is taking the lead on the investigation, using an in-house lab for the forensic analysis of the attack.
Asked why the Secret Service is involved, Gualtieri pointed to their work on computer fraud and agreed Sunday’s Super Bowl in Tampa “certainly has something to do with it,” given that the attack happened Friday. The attack was reported to the FBI’s Joint Terrorism Task Force, which the Secret Service is a part of, “so they were involved at that point.”
Sen. Marco Rubio of Florida said Monday he wants the hacking handled as a national security measure.
Israel’s National Cyber Directorate (NCD), the cybersecurity government agency, said Wednesday they had reached out to counterparts in the US investigating the Oldsmar hack.
“The Israel National Cyber Directorate has contacted its US equivalents about the case (in Oldsmar, FL) as part of standard and accepted information-sharing in the cyber field, which is intended to learn from other cases in the world and augment the methods of resistance,” the institution said in a statement.
Last April, Israeli water facilities were targeted in an attack that NCD head Yigal Unna described as a “changing point in the history of modern cyber warfare.” He said the facilities were targeted in a “synchronized and organized attack aimed at our water systems.”
Had the attack been successful, Unna said, it could have caused significant damage to civilian water supplies. He also appeared to suggest the hack targeted chlorine flow into water treatment units, which could have been harmful to public health.
In his May 2020 presentation to an online CyberTech conference, the NCD head did not say who he believed was behind the attack in Israel, but noted it had not been accompanied by the type of ransom demands or attempt to gain financially that would be expected if it had been carried out by cyber criminals.