The hacker broke into Oldsmar’s water treatment system twice on Friday – at 08:00 and 13:30 – using a dormant software called TeamViewer. The software was not used for about six months, but was still on the system.
“How they got in, whether it was through a password or through something else, I can not tell you,” Gualtieri said.
However, Oldsmar’s assistant city manager Felicia Donnelly told CNN that a password was needed to control the system remotely.
When inside, the hacker adjusted the level of sodium hydroxide, or lye, to more than 100 times its normal levels, Gualtieri said. The system administrator notices the intrusion and immediately reduces the level back. At no stage was there a significant adverse effect on the water supply in the city, and the public was never in danger, he said.
The identity of the hacker, or hackers, is not yet known.
“Nobody knows anything, and any discussions that are taking place at this stage are pure speculation,” Gualtieri said.
Gualtieri praised the operator who spotted the attack on Friday, saying current and former employees had been questioned after early consideration of an intimidation threat. There are currently no suspicions or indications that this is the case, he said.
Questions about hacking sophistication
Robert M. Lee, CEO of Dragos Inc., an industrial cyber security company, said that these types of attacks keep industry experts awake at night.
“It was not particularly sophisticated, but that’s exactly what people are worried about. As one of the few examples of someone trying to hurt people, it’s a big deal for that reason,” Lee said.
Gualtieri, however, rejects the speculation that the attack was not sophisticated.
“It could be that someone somehow compromised the password and got the password out. Or it could be pretty sophisticated where you have someone doing what hackers do: constantly looking out for possible vulnerabilities and administrator credentials,” he said. said.
Gualtieri said the potential danger of an attack like this should prompt a discussion about remote access to software, adding that he had never seen such an attack.
“This is a new one for us,” the sheriff said.
Israel reaches out to US investigators
Gualtieri said the province is coordinating with the FBI and the U.S. Secret Service, but the country is taking the lead in the investigation by using an internal laboratory for the forensic analysis of the attack.
Asked why the Secret Service was involved, Gualtieri pointed to their work on computer fraud and agreed that Sunday’s Super Bowl in Tampa “definitely had something to do with it” since the attack took place on Friday. The attack was reported to the FBI Joint Terrorism Task Force, of which the Secret Service is a part, “so they were involved at that point.”
Florida Senator Marco Rubio said Monday he wants the burglary to be treated as a national security measure.
Israel’s National Cyber Directorate (NCD), the cyber security agency, said on Wednesday they had reached out to peers in the US investigating the Oldsmar hack.
“The Israeli National Cyber Directorate contacted its US equivalents on the matter (in Oldsmar, FL) as part of standard and accepted exchange of information in the cyber field, intended to learn from other cases in the world and the methods of resistance, “The institution said in a statement.
Last April, Israeli water facilities were targeted in an attack that Yigal Unna, head of the NCD, described as a “changing point in the history of modern cyber warfare.” He said the facilities were aimed at a “synchronized and organized attack aimed at our water systems.”
If the attack was successful, Unna said, it could significantly damage the civilian water supply. He apparently also suggested that the chlorine flow be directed to water treatment units, which could be harmful to public health.
In his submission in May 2020 to an online CyberTech conference, the NCD chief did not say who he believed was behind the attack in Israel, but noted that it was not accompanied by such ransom demands or an attempt to win financially what would be expected if it was carried out by cybercriminals.