U.S. Water and Wastewater Systems Cyber Breach

The Cybersecurity and Infrastructure Agency (CISA) released an alert of an ongoing cyber threat to the U.S. Water and Wastewater Systems, also highlighting five incidents that occurred between March 2019 and August 2021. These facilities are used to manage and provide clean water to communities around the country. This alert comes just a few days after U.S. Homeland Security Secretary explained that attacks like these can ultimately pose risks to U.S. citizens’ health and safety.

Breach Overview

A joint breach report by CISA, FBI, EPA, and NSA said this activity involves efforts to compromise system integrity through unauthorized access. The malicious actors took two routes into WWS systems; spear-phishing and through outdated or unpatched operating systems (OS) and software.

The report also detailed the five different cyber attacks from 2019 to early 2021 targeting the WWS Sector:

  • A former employee at a Kansas-based WWS facility attempted to remotely access a facility computer in March 2019 using credentials that hadn’t been revoked
  • Compromise of files and potential Makop ransomware observed at a New Jersey-based WWS facility in September 2020
  • An unknown ransomware variant deployed against a Nevada-based WWS facility in March 2021
  • Introducing ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer in July 2021
  • A Ghost ransomware attack against a California-based WWS facility in August 2021

What Are These Attacks and What Can I do?

Spear Phishing

Spear-Phishing is a form of phishing attack that targets a specific person or organization, seeking access to sensitive information. Similar to phishing, spear-phishing is when a spoofed email is sent to a specific target who has been researched online with content unique to the targeted individual. Whaling is similar to spear-phishing but targets high-ranking executives in an attempt to gain access to their privileged data.

What To Do?

Phishing attacks are one of the easiest things to train your employees on how to spot and avoid. Follow these best practices to reduce your likelihood of being breached by a Spear-Phishing attack.

  1. Train your employees on how to spot, avoid and delete phishing attacks
  2. Test your employees with Phish Testing attacks; re-train those that fail in your tests
  3. Purchase and train your employees on how to use a Password Manager. If you visit a phishing website and try to enter your password credentials using a Password Manager, you will NOT be able to. Employees reusing passwords will absolutely enter their credentials
  4. To protect the Internet from phishing attacks using your domain name, set up SPF, DKIM, and DMARC records to block the receipt of emails masquerading as your domain name
Unpatched OS and Software

Patches (updates) are typically done to fix an issue with a device or software solution. Oftentimes, patches are released by vendors to address a critical security bug or vulnerability. Purchasing Commercial-Off-The-Shelf (COTS) software helps ensure a steady development cycle that includes patches for the software running your business.  Just be aware that all software can go end-of-life and end-of-support which means the software developer will no longer issue patches to fix problems. In these situations, you need to upgrade to a more current version of hardware or software to continue to receive patches for your IT infrastructure.

What To Do?

Every SMB should have a process for handling critical vulnerability alerts (patches) in order to quickly assess risk and make important, time-sensitive decisions, on how to react. With a Vulnerability Alert Management Process (VAMP) in place, you can have a clear guide to when to jump and how high to jump for a given vulnerability or exposure.

In order to stay up to date at all times, it’s important to deploy a cloud-based patch management solution to automatically update software whenever and wherever necessary. Most Managed Service Providers leverage one of the big three Remote Monitoring and Management (RMM) solutions (ConnectwiseDatto, and Kaseya) for patching their managed systems. These RMM solutions also provide monitoring, and remote access in addition to tested and validated patching services to their clients.

Standalone patch management solutions for companies not using the above-mentioned RMM solutions include ManageEngine and Automox.

Identity and Access Management

In one of the reported breaches, a terminated employee attempted access to a system containing their live account.  Make sure you have robust onboarding and offboarding processes to grant and revoke access in a timely fashion.  Pair these with a quarterly audit process to ensure compliance.  Add two-factor authentication and Single Sign-On (SSO) capabilities to your business to simplify compliance checks and improve overall security.


Ransomware is a type of malicious software designed to block access to a computer system, and more importantly, the critical data it contains until a sum of money or ransom is paid impacting data “Availability“. Recently, ransomware has developed to enable hackers to export the locked data to online storage sites and threaten to release the data if they don’t pay the ransom impacting data “Confidentiality“.

Attackers traditionally ask for payment in bitcoin, however, as seen in the Colonial Pipeline attacks, bitcoin payments are on a public blockchain which allowed the recovery of most of the bitcoin payment. Recent developments in ransomware see hackers shifting to “Monero Cryptocurrency payments” because the blockchain itself obfuscates the wallet address, transaction amount, and counter-party paid leading to much stronger anonymity of cryptocurrency payment which is what bad actors need to protect their payments from recovery.

What To Do?

The best approach in defending against ransomware is as follows:


Find out how CyberHoot can secure your business.

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.