A water treatment facility
Hackers succeeded in altering the amount of chemicals used to treat tap water at a water plant four times due to bad cybersecurity practices iStock

A group of hackers managed to infiltrate a water treatment plant and change the levels of chemicals being used to treat tap water four times during the cyberattack, security researchers report.

The potential trouble caused by hacking critical infrastructure has become a key cybersecurity concern in recent months. In December 2015, cyberattacks against three Ukrainian power companies caused widespread power outages in multiple central and regional facilities, hitting 225,000 customers. In January, Israel's Electricity Authority (IEA) was victim of a ransomware attack that paralysed some of the computers on its network for over two days.

Verizon Security Solutions is the cybersecurity arm of Verizon's enterprise services for businesses, and the security firm is frequently called in by corporations to deal with cybersecurity threats. Verizon states in its latest report that a group of hackers who have been previously associated with hacktivism campaigns succeeded in breaching a water treatment facility.

Due to the sensitive nature of the breach, which gave the hackers access to the personal and financial records of over 2.5 million customers, Verizon is not releasing the name of the water company or the country it resides in, referring to the company by the fake moniker "Kemuri Water Company" (KWC).

Water company using 1980s IBM server

Verizon says the breach happened as the water company had been using operating systems over a decade old to run its entire IT network (we're guessing Windows XP), and because the entire IT network relied on a single ancient IBM Application System/400 (AS/400) server, released back in 1988.

This server was used to connect not just the firm's internal IT network but also the operational technology (OT) systems that controls the water treatment facility, which managed the water supply and metering water usage for a number of neighbouring counties, and best of all, only one employee in the whole company was capable of dealing with the ancient AS/400 system.

KWC asked Verizon to assess their networks for indications of a security breach as the company's IT team had detected unauthorised access to the OT systems of the water district, and in the two months prior to reporting the breach, KWC had noticed an unexplainable pattern of valve and duct movements that seemed to be manipulating hundreds of Programmable Logic Controllers (PLCs).

The PLCs are crucial as they manage the amount of chemicals used to treat the water in order to make it drinkable, as well as the water flow rate. The movements were causing disruptions with water distribution.

The hackers breached the KWC's systems by exploiting a vulnerability in the web-accessible payments system and using it to get into the company's web server. Verizon's researchers realised that the IP addresses of the attackers corresponded with those of hackers who had previously carried out hactivist campaigns, and it is thought that the hackers' motives might concern Syria, so perhaps these hackers are affiliated with a larger hacking collective like Anonymous.

Hackers may have been unaware of what they could actually do

The researchers say that although the hackers had access to over 2.5 million customer records, luckily the hackers never sought to use the information from the accounts, and it is very likely that the hackers didn't even realise that they were manipulating tap water chemical levels as the way they modified application settings showed very little knowledge of how the flow control system worked.

In the end, KWC was able to identify and reverse the chemical and flow changes in time, so the impact on customers was largely minimised and nobody got ill – but it could have been so much worse.

"KWC's breach was serious and could have easily been more critical. If the threat actors had a little more time, and with a little more knowledge of the ICS/SCADA system, KWC and the local community could have suffered serious consequences," Verizon's researchers write in the report.

"Having internet facing servers, especially web servers, directly connected to SCADA management systems is far from a best practice. Many issues like outdated systems and missing patches contributed to the data breach — the lack of isolation of critical assets, weak authentication mechanisms and unsafe practices of protecting passwords also enabled the threat actors to gain far more access than should have been possible."