Latest Trends

Cyber Siege: Small Texas Towns Targeted in Wave of Water Utility Hacks

In an alarming development, several remote communities across Texas have experienced cyber intrusions targeting their water utilities. Mike Cypert, a city manager of one such community, Hale Center, found himself in a race against time to protect the town’s vital water systems from a breach of their digital defenses.

Urgent Response to Cyber Threat

One mundane day was upturned by a critical alert from a software vendor in January, warning of hacking activities aimed at the utilities of remote Texas towns—including Hale Center. Cypert, who oversees the town nestled in a cotton-growing region a substantial drive northwest of Dallas, discovered numerous attempts to penetrate the local firewall. The scale of the attack was significantly alarming—thousands of attempts, some allegedly originating from an IP address linked to St. Petersburg, Russia.

In haste, Cypert took swift action by disconnecting the computer responsible for the town’s water system and rapidly reported the incident to the FBI and the Department of Homeland Security. These federal agencies were already investigating similar incidents occurring nearby.

A Persistent Cyberthreat Across Texas

The incidents in Texas are the latest in a concerning trend of cyberattacks on America’s water utilities, which are part of the nation's critical infrastructure. Just months before, in November, an Iranian-backed group targeted digital controls commonly used in the water and waste industries across several states in the U.S. In a similar timeframe, north of Texas, the North Texas Municipal Water District—a supplier for over two million people—was hit by a ransomware attack.

Adding to the international threats, the Washington Post covered the report of a Chinese state-sponsored cyberattack on a Hawaiian water utility in December, highlighting that various foreign adversaries are targeting this sector.

John Hultquist, a leading analyst at Mandiant Intelligence, painted a dire picture, indicating that the water sector, which is typically underfunded and vulnerable, is experiencing a siege from multiple international threats: Iran, China, and Russia.

Ensuring National Security

An official from the FBI refrained from commenting on this sensitive issue, and the Department of Homeland Security did not respond promptly to inquiries. The attacks have not only raised alarms due to the immediate dangers but have also underscored vulnerabilities in the cyber defense of critical infrastructure within the United States.

Additional information and insights on these attacks were reported by Bloomberg News.

Sandworm: A Notorious Culprit?

In an investigatory twist, Mandiant researchers suggest a link between the Texan water utility cyberattacks and a notorious Russian hacking group known as Sandworm. Blamed for blackouts in Ukraine and interfering with the 2018 Olympics in South Korea, Sandworm, which the U.S. government believes to be part of Russia’s military intelligence, has historically staged hostile cyber operations. Nonetheless, whether Sandworm's methodology directly correlates with the Texas breaches remains uncertain. “We’ve never observed them overtly cross the line in the U.S. like this before,” stated Hultquist.

A Tide of Cyberattacks in Municipal Texas

In the case of Muleshoe, another affected small town in northwest Texas, the ramifications of the breach became visibly apparent when a citizen reported an overflowing water tank on January 18. The city's control over its water system was compromised, prompting immediate action to sever the connection and alert the city's software provider, as detailed by City Manager Ramon Sanchez during a public meeting reported by the Plainview Herald. The disruptions spanned several communities, with Sanchez acknowledging the widespread nature of the incidents.

The reporting raised the question of the attacks' attribution when a social media account—CyberArmyofRussia_Reborn—shared a video purporting to show manipulation of Muleshoe's industrial control system. The account, believed by cybersecurity experts to be controlled by Sandworm, has, according to Hultquist, been adopted by the group as a hacktivist facade.

The Motivation Behind the Hacks

The underlying intent of such cyberattacks on smaller municipal water systems may range from using them as testing grounds for larger and more significant targets to instilling widespread fear among the U.S. population. Andy Bennett, Apollo Information Systems' Chief Technology Officer and a former state cybersecurity official of Texas, echoed this sentiment. According to Bennett, this threat is particularly psychological, as it upsets the general sense of security that rural America is known to foster.

An Ongoing Investigation

The involvement of the Russian hacking group in the cyber breaches of Texas water utilities remains a subject of debate amongst U.S. intelligence officials, citing the sensitive nature of the information that has limited the extent of details that can be publicly divulged. The Russian Embassy in Washington elected not to comment on the situation.

Disturbingly, these concerns extend to the broader critical sectors of the U.S. economy, with national security officials remaining on high alert for potential cyber threats in key areas such as defense, dams, energy, financial services, and water systems.

Political Complications and Cyber Defense

The cyberattacks transpired amidst political scrutiny over the Environmental Protection Agency's scrapped plans to mandate cyber defense assessments at water facilities. This action attracted criticism from Republican lawmakers in three states, accusing the EPA of unlawfully overreaching its authority. Despite the pushback, the White House announced its intention to collaborate with Congress to enhance the agency's authority to safeguard against such cyber threats.

A Shared Vulnerability across Texas Towns

These cyber intrusions did not exclusively target Muleshoe and Hale Center. At least two other Texas communities—Abernathy and Lockney—also found themselves warding off digital assailants. In Abernathy, quick reactions from city staff thwarted hackers as they attempted to change system passwords. Lockney's city manager, Buster Poling, Jr., reported a similar experience, where the city's vigilance allowed them to evade any substantial harm from the attack.

Cypert, meanwhile, was forewarned to strengthen Hale Center’s defenses, echoing the vendor's advice to other communities. This resulted in a rushed Safeguard protocol by unplugging the pertinent computer systems, providing Hale Center with a narrow escape from the breach. Despite not being compromised, Hale Center was under a significant brute force attack, with thousands of attempts made in just four days to crack its cybersecurity firewall.

Detailed Tracking and Reporting

The persistent efforts from unidentified sources to breach Hale Center exemplified the complexity of the cyber threat landscape. The IP addresses involved in the brute force attack were traced primarily to global origins, but a recurring address from St. Petersburg caught specific attention. The city's vendor, Morgeson Consulting based in Lubbock, expedited communication between Cypert and the FBI, ensuring a prompt response to the situation. The owner of Morgeson Consulting, however, has not provided a comment on the record at this time.

A Testament to Technical Expertise

Upon immersion in the unfolding cybersecurity threat, Cypert relayed potentially critical data regarding the suspicious attempts to breach Hale Center's firewall to the FBI. Ben Warren, the city’s IT contractor, played a pivotal role in guiding federal investigators through the technical intricacies of the situation, earning the investigators' praise for his technical expertise—a commendation that underscored the importance of skilled personnel in managing and countering cyber threats.

As the investigation continues, the city manager recollects the high regard in which the agents held Warren, driving home the message: "Hang on to him." This sentiment may well serve as advice for all municipalities under the growing shadow of cyber warfare—to preserve and value the individuals who serve as gatekeepers to their community's digital safety.

Conclusion: A Battle for Cybersecurity

These unfolding events have illuminated the intensity of cyber threats facing small-town America today, not only highlighting the technical challenges but also the geopolitical tensions inherent in cybersecurity. The nation's water utilities, representative of its critical infrastructure, have found themselves on the frontline of a silent battle, facing an array of sophisticated adversaries. As these cyber incidents continue to emerge, the importance of robust cyber defense strategies and collaboration among local authorities, federal agencies, and cybersecurity experts has never been clearer.

©2024 Bloomberg L.P. with additional reporting by Jamie Tarabay and Katrina Manson.