Researchers say they found several stolen and leaked credentials for a Florida water-treatment plant, which was hacked last week.
Researchers at CyberNews said they found 11 credential pairs linked to the Oldsmar water plant, in a 2017 compilation of stolen breach credentials. Meanwhile, they also found 13 credential pairs in the more recent “compilation of many breaches”– COMB for short — that occurred just days before the attack.
This collection was leaked on the RaidForums English-language cybercrime community on Feb. 2 and contains a staggering 3.27 billion unique combinations of cleartext email addresses and passwords in an aggregate database.
Of note, officials have not publicly drawn any connection between the credentials discovered in the leaked credential breach databases and the attack last week.
The Florida Water Plant Hack
The attack on the Oldsmar water-treatment facility in Florida occurred last Friday, when an attacker used remote access to the system to change the level of sodium hydroxide, more commonly known as lye, in the water from 100 parts per million to 11,100 parts per million.
The change was immediately detected by a plant operator, who changed the levels back before the attack had any impact on the system.
According to a Massachusetts security advisory published Wednesday, the attackers accessed the water treatment plant’s SCADA controls via TeamViewer, which is remote access software. TeamViewer was installed on computers by the water treatment plant, used by personnel to conduct system status checks and to respond to alarms or other issues that cropped up during the water treatment process.
“All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system,” according to the recent advisory. “Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”
The Leaked Data-Breach Credentials
Researchers with CyberNews recently delved into a breach compilation leaked online by hackers in 2017 and the more recent COMB data trove “to search for credentials from the domain ci.oldsmar.fl.us,” according to a blog post published Thursday by Bernard Meyer with CyberNews, and found several matches.
Researchers claim the attackers may have used the credentials acquired from either the 2017 breach compilation or COMB in the hack. However, given the close date of the COMB leak to the attack, it’s more likely that it was in this database that attackers found the credentials used in the system breach, Meyer noted.
What’s not clear is how old the credentials are, and whether they are specific to TeamViewer or otherwise.
“Regarding the credentials for the Florida water supply system, we could not confirm whether they were admin or Teamviewer for legal and ethical reasons,” Mantas Sasnauskas, senior information security researcher at CyberNews, told Threatpost. “We just pointed to the fact that there were some type of [plant] credentials in the leaked [database].”
The Oldsmar Water Plant Hack: Credentials Used?
CyberNews researchers said that the attack was likely rolled out in multiple stages. “The first part of the cyber kill chain would be espionage and reconnaissance — looking at the ICS system, who controls it, what domain they use for emails, and whether they can be accepted as login usernames,” Meyer wrote.
The second phase may have involved a credential-stuffing attack that would have provided attackers remote access to the system, he said. In this type of attack, hackers build automated scripts that systematically try stolen IDs and passwords against various accounts until a match is found.
As part of this, he said, the attacker may have checked various compilations for leaked credentials on those domains for credential pairs, which is where the COMB cache may have come in handy, he said.
“The second stage of the cyber kill chain would be the actual intrusions–in this case, the credential stuffing,” he wrote.
It’s unclear if the COMB credentials were in fact used, but the fact that some of the plant’s logins were found in the database is a notable coincidence, researchers said.
Authorities from Pinellas County Sheriff’s Office, the FBI and the U.S. Secret Service are still working together to investigate exactly what happened in the attack, although they do not believe it was state-sponsored.
While authorities said they have leads in the attack, they still don’t know who exactly was behind it, where the attackers are located and what the motive might be. The incident once again is a reminder of the potential catastrophic effect an attack on critical infrastructure can have on public safety, making the security of these systems a top concern, security experts said.
Threatpost WEBINAR: Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET.Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.