A hacking group with ties to the Russian government is suspected of carrying out a cyberattack in January that caused a tank at a Texas water facility to overflow, experts from US cybersecurity firm Mandiant said Wednesday.
The hack in the small town of Muleshoe, in north Texas, coincided with at least two other towns in north Texas taking precautionary defensive measures after detecting suspicious cyber activity on their networks, town officials told CNN. The FBI has been investigating the hacking activity, one of the officials said.
The attack was a rare example of hackers using access to sensitive industrial equipment to disrupt regular operations at a US water facility, following a separate cyberattack last November on a Pennsylvania water plant that US officials blamed on Iran.
The cyber incidents in Texas also help explain a rare public appeal that US national security adviser Jake Sullivan made last month to state officials and water authorities to shore up their cyber defenses. Cyberattacks are hitting water and wastewater systems “throughout the United States” and state governments and water facilities must improve their defenses against the threat, Sullivan said in a joint letter with the Environmental Protection Agency chief to state officials.
US officials have been concerned that many of the country’s 150,000 public water systems have struggled to find the cash and personnel to deal with persistent hacking threats from criminal and state actors.
The Texas hacking incidents gained little national attention when they occurred as questions lingered about who was behind the activity. But on Wednesday, Mandiant publicly linked the channel on Telegram, a social media platform, where hackers claimed responsibility for the Muleshoe attack with previous hacking activity carried out by a notorious unit of Russia’s GRU military intelligence agency.
It was unclear, Mandiant analysts said, whether the GRU was behind the cyberattack on Muleshoe’s water facility or if other Russian-speaking hackers using the same persona were claiming responsibility for the hack.
The string of incidents did not affect drinking water in the towns. But if it is confirmed that the GRU or one of its proxies was involved, this would mark an escalation in targeting US critical infrastructure for a Russian group often known for focusing on Ukraine.
In Muleshoe, a town of about 5,000 people, the hackers broke into a remote login system for industrial software that allows operators to interact with a water tank, city manager Ramon Sanchez told CNN. The water tank overflowed for about 30 to 45 minutes before Muleshoe officials took the hacked industrial machine offline and switched to manual operations, Sanchez said in an email. Muleshoe officials replaced the hacked software system and took other steps to secure the network, Sanchez said.
“Water utilities are being abused by adversaries taking advantage of low-hanging fruit — vulnerable services directly accessible from the internet,” said Gus Serino, a water-sector cybersecurity expert who is president of security firm I&C Secure.
“Regulations have not required this low-hanging fruit to be addressed,” Serino told CNN. “This shows a pretty clear need to handle the basics.”
The EPA in October was forced to rescind a key cybersecurity regulation for public water systems following a legal challenge from Republican attorneys general.
The EPA rule “could have put simple measures in place and prevented recent attacks on the water systems,” Anne Neuberger, deputy national security adviser for cyber and emerging technology at the White House, said in a statement to CNN on Tuesday. “But, we remain steadfast in our efforts to ensure Americans’ water systems are secure against cyber attacks, calling on owners and operators to lock their digital doors.”
The Biden-Harris administration, Neuberger added, has recently advised state officials on setting up security plans for protecting their water systems from hacks.
‘Suspicious activity’ in nearby towns
The hack in Muleshoe set off concern in the region. In Lockney, about 75 miles east of Muleshoe, town officials detected “suspicious activity” on the town’s SCADA system — a type of industrial computer network that helps oversee water plants, Buster Poling, Lockney’s city manager, told CNN.
And in the nearby city of Hale Center, hackers also tried to unsuccessfully break into the town’s “firewall,” prompting the town to disable remote access to its SCADA system, city manager Mike Cypert told CNN in an email.
Neither Cypert nor Poling identified the hackers responsible for the attempted cyberattacks; Poling would only say he believed them to be operating from a foreign country but declined to elaborate.
Poling believes the hackers were trying to get access to the town’s water wells, but, he said, town officials were able to catch the threat early and prevent the hackers from having any impact.
“I’ve never experienced this before but … we’re aware that those threats are out there,” Poling told CNN by phone. The FBI has been investigating the activity, he said.
The FBI declined to comment. CNN has requested comment from the Russian Embassy in Washington, DC, on the hacking incidents.
“Due to the ongoing investigation, EPA is not able to comment on this specific incident,” EPA spokesperson Nick Conger said in a statement to CNN. “However, EPA is coordinating with the State of Texas to support as needed.”
In its report published Wednesday, Mandiant found multiple links between a GRU sabotage and spying unit known as Sandworm and online infrastructure used by hackers using a persona called “CyberArmyofRussia_Reborn.” That includes a YouTube channel operated by the hacktivist persona that Mandiant believes was set up by the GRU-sponsored unit.
Sandworm is best known for series of disruptive cyberattacks that cut power in parts of Ukraine in 2015 and 2016. The group has pummeled Ukrainian infrastructure with cyberattacks throughout the ongoing war.
Sandworm also uses online personas to amplify and exaggerate the impacts of their hacks, according to Mandiant experts.
On January 18, the day that Sanchez, the Muleshoe city manager, told CNN that hackers took accessed the town’s industrial computer network, the CyberArmyofRussia_Reborn group posted a video to their Telegram social media channel purporting to show the manipulation of Muleshoe’s water valves.
“The haphazardness is part of their pathological emphasis on psychological impact,” Dan Black, a Mandiant analyst, told CNN. “They want to make it look like they’re doing more than they’re doing.”