An investigation undertaken in the aftermath of the Oldsmar water plant hack earlier this year has revealed that an infrastructure contractor in the U.S. state of Florida hosted malicious code on its website in what’s known as a watering hole attack.
“This malicious code seemingly targeted water utilities, particularly in Florida, and more importantly, was visited by a browser from the city of Oldsmar on the same day of the poisoning event,” Dragos researcher Kent Backman said in a write-up published on Tuesday.
The site, which belongs to a Florida-based general contractor involved in building water and wastewater treatment facilities, had no bearing on the intrusion, the American industrial cybersecurity firm said.
Watering hole attacks typically allow an adversary to compromise a specific group of end-users by compromising a carefully selected website, which members of that group are known to visit, with an intention to gain access to the victim’s system and infect it with malware.
In this specific case, however, the infected website didn’t deliver exploit code or attempt to achieve access to visitors’ systems. Instead, the injected code functioned as a browser enumeration and fingerprinting script that harvested various details about the website’s visitors, including operating system, CPU, browser (and plugins), input methods, presence of a camera, accelerometer, microphone, time zone, locations, video codecs, and screen dimensions.
The collected information was then exfiltrated to a database hosted on a Heroku app site (bdatac.herokuapp[.]com) that also stored the script. The app has since been taken down. Dragos suspects a vulnerable WordPress plugin may have been exploited to insert the script into the website’s code.
No fewer than 1,000 end-user computers visited the infected site during the 58-day window beginning Dec. 20, 2020, before it was remediated on Feb. 16, 2021. “Those who interacted with the malicious code included computers from municipal water utility customers, state and local government agencies, various water industry-related private companies, and normal internet bot and website crawler traffic,” Backman said.
“Dragos’ best assessment is that an actor deployed the watering hole on the water infrastructure construction company site to collect legitimate browser data for the purpose of improving the botnet malware’s ability to impersonate legitimate web browser activity,” the researcher added.
Based on telemetry data gathered by the company, one among those 1,000 visits came from a computer residing in the network belonging to the City of Oldsmar on Feb. 5, the same day an unidentified adversary managed to increase sodium hydroxide dosage in the water supply to dangerous levels by remotely accessing the SCADA system at the water treatment plant.
The attackers were ultimately foiled in their attempt by an operator, who managed to catch the manipulation in real-time and restored the concentration levels to undo the damage. The unauthorized access is said to have occurred via TeamViewer remote desktop software installed on one of the plant’s several computers that were connected to the control system.
The Oldsmar plant cyberattack, and more recently the Colonial Pipeline ransomware incident, have set off concerns about the potential for tampering with industrial control systems deployed in critical infrastructure, prompting the U.S. government to take steps to bolster defenses by protecting federal networks and improving information-sharing between the U.S. government and the private sector on cyber issues, among others.
“This is not a typical watering hole,” Backman said. “We have medium confidence it did not directly compromise any organization. But it does represent an exposure risk to the water industry and highlights the importance of controlling access to untrusted websites, especially for Operational Technology (OT) and Industrial Control System (ICS) environments.”