Hacktivists Mess with Chemicals in Water Treatment Plant

Talk about your doomsday scenario. Hackers infiltrated a water utility’s control system and changed the levels of chemicals being used to treat tap water, according to Verizon Security Solutions.

Verizon describes the attack against the "Kemuri Water Company,” a pseudonym for a real firm in an unspecified country, in this month’s IT security breach report. 

A "hacktivist" group with ties to Syria compromised Kemuri's computers after exploiting unpatched web vulnerabilities in a payment portal that was connected to the public Internet.

The hack - which involved SQL injection and phishing - was made easier because login credentials for the operational control system were stored on the Web server.

The system regulated valves and ducts that controlled the flow of water and chemicals used to treat it.

Verizon discovered four separate connections over a 60-day period.

During these connections, the threat actors modified application settings with little apparent knowledge of how the flow control system worked. In at least two instances, they managed to manipulate the system to alter the amount of chemicals that went into the water supply and thus handicap water treatment and production capabilities so that the recovery time to replenish water supplies increased. Fortunately, based on alert functionality, KWC was able to quickly identify and reverse the chemical and flow changes, largely minimizing the impact on customers. No clear motive for the attack was found.

The hacktivists had manipulated the valves controlling the flow of chemicals twice – though fortunately to no particular effect. It seems the activists lacked either the knowledge or the intent to do any harm.

The same hack also resulted in the exposure of personal information of the utility’s 2.5 million customers. There’s no evidence that this has been used for fraud.