Tex. hack may be first disruption of U.S. water system by Russia

Happy Wednesday! National security reporter Ellen Nakashima here filling in for Cristiano and Will. Reach out with news tips at: [email protected].

Tex. hack may be first disruption of U.S. water system by Russia

In January, an alert citizen in Muleshoe, Tex., was driving by a park and noticed that a water tower was overflowing. Authorities soon determined the system that controlled the city’s water supply had been hacked. In two hours, tens of thousands of gallons of water had flown into the street and drain pipes.

The hackers posted a video online of the town’s water-control systems and a nearby town being manipulated, showing how they reset the controls. In the video on the messaging platform Telegram, they called themselves Cyber Army of Russia Reborn (CARR).

“We’re starting another raid on the USA,” the video caption reads in Russian, with the hackers saying they would show how they exploited “a couple critical infrastructure facilities, namely water supply systems.” It was followed by a smiley face emoji.

That water tank overflow in a Texas panhandle town may well be linked to one of the most infamous Russian government hacking groups, the cybersecurity firm Mandiant said Wednesday.

If confirmed, analysts say it would mark a worrisome escalation by Moscow in its attempts to disrupt critical U.S. infrastructure by targeting one of its weakest sectors: water utilities.

The hacking group, which private sector analysts once dubbed Sandworm, has achieved notoriety for briefly turning out the lights in parts of Ukraine at least three different times; hacking the Olympics Opening Games in South Korea in 2018; and launching NotPetya, one of the most damaging cyberattacks ever that cost businesses worldwide tens of billions of dollars.

Although no one was hurt and service was not interrupted in Muleshoe, the prospect of Sandworm broadening its sites from Ukrainian power grids and French elections to American critical infrastructure is troubling, Mandiant chief analyst John Hultquist said.

The U.S. government assesses Sandworm to be part of the GRU, Russia’s military spy agency.

The team at Mandiant, which is owned by Google, observed social media accounts being created on YouTube for CARR using servers associated with Sandworm, Hultquist said, adding that Mandiant also has found CARR posting Ukrainian government data stolen by Sandworm hackers on Telegram.

“We’ve been saying for a long time that CARR is just a front for the GRU,” Hultquist said. “Then we see them take credit for these acts in the U.S. against water utilities. Is GRU behind these attacks? If it isn’t GRU, whoever is doing this is working out of the same clubhouse. It’s too close for comfort.”

The U.S. intelligence community has not yet made a determination whether CARR is run by the GRU, although intelligence analysts are scouring clues.

Robert M. Lee, CEO and co-founder of Dragos, which specializes in industrial control system cybersecurity, said a team from his firm tracked CARR’s operations in January. He confirmed the water overflow in Muleshoe but could not specify whether this happened in other towns. “The adversary was definitely looking to do disruptions,” he said, noting that the trend over the last several years has been for state actors to seek to disrupt systems, whereas a decade ago, they were interested mostly in espionage.

Another target was the nearby town of Abernathy. The city’s manager, Don Provost, said in an interview that the hack “didn’t interrupt anything.” The FBI and Department of Homeland Security got in touch quickly, he said.

“It actually turned out to be a good thing,” he said. “It showed us where our vulnerabilities were.”

In an interview, Muleshoe’s city manager, Ramon Sanchez, said the hackers brute-forced the password for the system’s control system interface, which was run by a vendor. That password hadn’t been changed in more than a decade, he admitted.

“You don’t think that’s going to happen to you. It’s always going to happen to the other guy,” he said.

The same vendor was used by at least two other towns in the area that were subjected to attempted hacks, Sanchez said.

But the incident also forced changes. “We learned,” Sanchez said. “The biggest lesson is that we have to always be proactive and always update our cybersecurity.”

He thinks Muleshoe was a “victim of opportunity,” adding: “I would have never thought that somebody tied to the Russian military would target Muleshoe.”

Aaron Schaffer contributed to this report.

Inside the industry

Microsoft invests in Arabic AI firm as U.S. tries to limit China’s sway (By Aaron Gregg and Cat Zakrzewski)

AI is creating an influx of child sex abuse images, data shows (Forbes)

Former OpenAI board member calls for audits of top AI companies (Bloomberg News)

Zuckerberg wins bid to avoid personal liability in addiction lawsuits (The Hill)

Musk’s X retreats, pledging to comply with Brazil court orders (Bloomberg News)

Privacy monitor

Some ex-TikTok employees say the social media service worked closely with its China-based parent despite claims of independence (Fortune)

Workforce report

Amazon HQ2 was supposed to add jobs last year. It shed them instead. (By Teo Armus)

Google workers stage sit-ins to protest company’s work with Israel (By Gerrit De Vynck and Caroline O’Donovan)

Mentions

Daybook

The House Energy and Commerce Committee holds a hearing, “Legislative Solutions to Protect Kids Online and Ensure Americans’ Data Privacy Rights,” Wednesday at 10 a.m.
Semafor hosts its World Economy Summit event Wednesday and Thursday at Gallup’s Great Hall and the Mellon Auditorium.

Before you log off

That’s all for today — thank you so much for joining us! Make sure to tell others to subscribe to The Technology 202 here. Get in touch with Cristiano (via email or social media) and Will (via email or social media) for tips, feedback or greetings!

Tex. hack may be first disruption of U.S. water system by Russia