Outdated computer system exploited in Florida water treatment plant hack
OLDSMAR, F.L., (ABC News) — An outdated version of Windows and a weak cybersecurity network allowed hackers to access a Florida wastewater treatment plant’s computer system and momentarily tamper with the water supply, federal investigators revealed in a memo obtained by ABC News.
The FBI’s Cyber Division on Tuesday notified law enforcement agencies and businesses to warn them about the computer vulnerabilities, which led to the Bruce T. Haddock Water Treatment Plant in Oldsmar being hacked on Feb. 5.
The plant’s computer systems were using Windows 7, which hasn’t received support or updates from Microsoft in over a year, according to the FBI.
“The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security and an outdated Windows 7 operating system to compromise software used to remotely manage water treatment,” investigators wrote in the report. “The actor also likely used the desktop sharing software TeamViewer to gain unauthorized access to the system.”
The hacker was able to use remote access software to raise the levels of sodium hydroxide in the water from about 100 parts per million to 11,100 parts per million for a few minutes, according to investigators. Sodium hydroxide is used in liquid drain cleaners and used, in small doses, to remove metals from water.
A plant manager who noticed the hack as it unfolded was able to return the system to normal before there any major damage occurred, investigators said. The public was never in danger because it would have taken 24 to 36 hours for tainted water to hit the system if no one intervened.
The FBI and other law enforcement agencies are still trying to determine who was behind the hack and any possible motives. It’s unclear if the suspects were foreign or domestic, sources close to the investigation told ABC News. Investigators said they’re concerned the culprit could strike again — and the outcome could be far worse.
The FBI memo urged information technology administrators to make sure computers are up to date and that passwords are secure.
“Microsoft, the FBI, and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system,” the memo said. Not doing so “presents vulnerabilities for cyber actors to exploit.”