On November 11, SunWater, one of Queensland’s largest water providers confirmed that they had identified a cyberattack. Upon further investigation, they discovered the cyberattack had more than likely lasted over nine months – in other words for the same amount of time that it takes to create a human being. For nine months nobody had bothered to check their basic critical security.
It was further reported, by analysts working on the aftermath of the attack, that they suspected cyber criminals had gained access to websites and servers which enabled them to create a man-in-the-middle attack. This enabled them to redirect the digital traffic that was sent to and from the SunWater servers. Due to this insecurity, all data captured, and in flight, would have been in plain text, the staple diet of cyber and ransomware criminals. This attack was not a case of an unfortunate victim, this was an opportunistic attack on a wide open, defenceless target due to security negligence.
In essence, cybercriminals were able to easily infiltrate, and then just as easily exfiltrate highly sensitive data. One can only second guess and assume that data most certainly includes personally identifiable information (PII). If this is proven to be the case, SunWater have not only enabled and facilitated easy access due to their basic security oversight and negligence but have also fallen foul of all local and international privacy regulations and laws.
Cyberattacks on water facilities and providers are nothing new and becoming more common to the world of cybersecurity professionals. However, it would seem few members of the general public – including the numerous C-Suite executives that sit on the board of water companies – realize just how insecure, fragile, and exposed our critical infrastructure is.
Earlier in the year, on February 8, the City of Oldsmar, Florida gave a press conference to disclose “an unlawful intrusion to the city’s water treatment system.” Someone on the internet successfully accessed the computer controlling the chemicals used to treat drinking water for the city and changed the level of sodium hydroxide to 11,100 parts per million (ppm), a significant increase from the normal amount of 100 ppm.
Sodium hydroxide (NaOH), also known as caustic soda, is a corrosive chemical used in low concentrations to regulate pH levels in drinking water and to protect water pipes. Let us be clear, in higher levels, sodium hydroxide is incredibly toxic and can severely damage human tissue.
What the Oldsmar and SunWater cyberattacks have in common is both organizations lacked basic, fundamental security connected to the internet which could have precluded their cyberattacks. Let’s examine each case a little further. In the case of Oldsmar, adversaries were able to easily identify insecure positions (websites and servers) connected to the internet of Oldsmar and not only gained access, but also gained remote access to TeamViewer and gained further access and control of critical computers which enabled them to alter the sodium hydroxide levels. It was only by sheer luck and chance that a major catastrophe was avoided because an engineer, who was sat next to the PC, noticed the cursor on the screen moving, adjusting and increasing the parts of sodium hydroxide.
At the time of the Oldsmar cyberattack we immediately commenced a security research program and discovered a plethora of security issues which ranged from insecure websites, servers, public key infrastructure (PKI), missing security headers, missing content security policy (CSP), and numerous, several year-old common vulnerability exposures (CVEs). We wrote to the Sherriff’s department and Oldsmar to share our research and findings. We never received a reply.
On the back of this week’s SunWater cyberattack, we can confirm that at the time of writing, Oldsmar are still maintaining a woefully suboptimal and insecure internet facing position. They have a Cyber Rated Index (CRI) of F and 0, the worst security rating possible. Considering the OWASP top ten vulnerabilities, Oldsmar includes missing security headers, no CSP and initial redirection from HTTP to HTTPS is to a different host, preventing HSTS which can enable numerous attacks including a MiTM attack. This is an identical situation to that which SunWater have also unknowingly facilitated.
Moving on to the SunWater cyberattack, the government audit office said: “We take cybersecurity very seriously and acknowledged the findings.” So seriously then that this government owned CNI water provider not only allowed infiltration for nine months but still remain woefully insecure post the event as our research evidenced today. The government audit office released a report detailing the vulnerabilities of the state’s water infrastructure to potential cyberattacks.
“We continue to identify significant control weaknesses in the security of information systems. All entities must have strong security practices to protect against fraud or error, and significant reputational damage,” the report read.
As of yet, we do not know what the catalyst for the discovery of the cyberattack was, however, computer disruption or a ransom demand may be reasonable assumptions. Typically, illegal access and infiltration can be achieved for around 6 months before being discovered, which would not be too different from this timeframe and not too dissimilar from the duration of last year’s SolarWinds cyberattack, which has been acknowledged as the world’s largest cyberattack causing subsequent attacks for thousands of SolarWinds clients including the US government.
What the Oldsmar, SunWater and SolarWinds cyberattacks confirm is a near total lack of basic and fundamental security of websites and servers. The very junction where companies connect to the internet, to aid performance, availability, customer interaction, setting up payments and Direct Debits, are being used against them. And it’s not because cybercriminals are super intelligent or have incredible powers, tools and techniques. The vast majority of these cyberattacks are initiated and successful because cybercriminals can easily identify exposed, vulnerable, and exploitable internet connections that enable access. Because controls are so lax, nobody even notices until literally, by chance, someone stumbles across the fact that their organization has been infiltrated.
Breaking Down the Insecurities
Take the above Domain Name System (DNS) rating of the www.sunwater.com.au website. Let us not forget this is an Australian government website and the audit office stated how seriously they take security … We are immediately drawn to the bright red and yellow tabs, however, let’s look at these in order.
The first tab shows 5 insecure, that represents 5 servers that are insecure. They include TXT and MX servers. TXT stands for Text Messaging server and MX stands for Mail Exchange as well as three others. In essence, these two insecure servers manage pretty much all messaging to and from this and other connected websites. This website, the main landing page, the homepage, with numerous other websites connected to it, is 100% compromised and insecure. Some call this Game Over, however it actually gets worse.
The two errors and two warnings (red and yellow) confirm that this website is really badly misconfigured and due to its configuration, the errors and warnings are highlighted in an attempt to draw attention to those tasked with ensuring security.
The above DNS screenshot should most certainly be a wakeup call and very much a CODE RED situation for SunWater Limited. However, the Open-Source Intelligence (OSINT) capability is being poorly used, overlooked and even ignored. When a cybercriminal embarks upon their reconnaissance to identify suitable, easily exploitable targets, they first turn to such tools and once they identify a SunWater, Colonial Pipeline, JBS Foods, CNA insurance or even a SolarWinds, they select the appropriate access point using their internet connection and the vulnerabilities to launch their attacks.
When cybercriminals identify such lax basic security, they are literally assured their probing, prodding, and even infiltration will go unnoticed. Put simply, nobody is checking, and everyone makes assumptions. All too often that includes the CISO and the security teams.
Furthermore, as we witness in the case of the majority of organizations, governments, central banks and multi-billion dollar organizations, the continued oversight of this critical area catches organizations out time after time no matter how much they invest (or waste) on false security and insurance policies, which may perversely add to their cyber risks as opposed to mitigate them.
If you ask the question of 100, 1000 or even 100,000 companies; Please define your controls and management of websites, website servers and web application interfaces on an ongoing basis and evidence them, I suggest less than 5% would be able to share that with you.
As sure as water flows, companies that ignore their internet connected security will, sooner or later, be hacked.