The US Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) have released a joint advisory warning of ongoing cyberattacks – launched by both known and unknown malicious actors – targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. Water and Wastewater Systems (WWS) Sector facilities.

According to the US agencies, over the past few months, hackers have targeted wastewater plants in California, Maine and Nevada with ransomware attacks.

The first incident took place in March 2021, when hackers attacked a Nevada-based WWS facility using a previously undocumented ransomware variant. The ransomware affected the victim’s SCADA system and backup systems.

Several months later, in July 2021, malicious actors remotely planted the ZuCaNo ransomware onto Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds, the agencies said.

In August 2021, a California-based WWS facility was targeted with a Ghost variant ransomware. This malware had been hiding inside the system for nearly a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.

The security alert also describes two incidents that took place in two previous years, including a Makop ransomware attack against a New Jersey-based WWS facility in September 2020, and an incident involving a former employee at Kansas-based WWS facility, who was accused of tampering with a public water system.

“Although cyber threats across critical infrastructure sectors are increasing, this advisory does not intend to indicate greater targeting of the WWS Sector versus others,” the security agencies said.

The joint advisory also provides an overview of Tactics, Techniques and Procedures (TTPs) used by attackers, as well as mitigations that organizations should implement to prevent cyber intrusions.