{ "id": "57a3a081-5937-412e-aeaf-e3977fb33d02", "created_at": "2026-04-06T01:30:19.249681Z", "updated_at": "2026-04-10T13:12:11.669984Z", "deleted_at": null, "sha1_hash": "5268f0845353fe585fa675bf0372a4055664f140", "title": "Compromise of U.S. Water Treatment Facility | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52317, "plain_text": "Compromise of U.S. Water Treatment Facility | CISA\r\nPublished: 2021-02-12 · Archived: 2026-04-06 00:30:00 UTC\r\nSummary\r\nOn February 5, 2021, unidentified cyber actors obtained unauthorized access to the supervisory control and data\r\nacquisition (SCADA) system at a U.S. drinking water treatment facility. The unidentified actors used the SCADA\r\nsystem’s software to increase the amount of sodium hydroxide, also known as lye, a caustic chemical, as part of\r\nthe water treatment process. Water treatment plant personnel immediately noticed the change in dosing amounts\r\nand corrected the issue before the SCADA system’s software detected the manipulation and alarmed due to the\r\nunauthorized change. As a result, the water treatment process remained unaffected and continued to operate as\r\nnormal. The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor\r\npassword security, and an outdated operating system. Early information indicates it is possible that a desktop\r\nsharing software, such as TeamViewer, may have been used to gain unauthorized access to the system, although\r\nthis cannot be confirmed at present date. Onsite response to the incident included Pinellas County Sheriff Office\r\n(PCSO), U.S. Secret Service (USSS), and the Federal Bureau of Investigation (FBI). Through the course of the\r\ninvestigation, the FBI was not able to confirm that this incident was initiated by a targeted cyber intrusion.\r\nThe FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency\r\n(EPA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have observed cyber criminals\r\ntargeting and exploiting desktop sharing software and computer networks running operating systems with end of\r\nlife status to gain unauthorized access to systems. Desktop sharing software, which has multiple legitimate uses—\r\nsuch as enabling telework, remote technical support, and file transfers—can also be exploited through malicious\r\nactors’ use of social engineering tactics and other illicit measures. Windows 7 will become more susceptible to\r\nexploitation due to lack of security updates and the discovery of new vulnerabilities. Microsoft and other industry\r\nprofessionals strongly recommend upgrading computer systems to an actively supported operating system.\r\nContinuing to use any operating system within an enterprise beyond the end of life status may provide cyber\r\ncriminals access into computer systems.\r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nDesktop Sharing Software\r\nThe FBI, CISA, EPA, and MS-ISAC have observed corrupt insiders and outside cyber actors using desktop\r\nsharing software to victimize targets in a range of organizations, including those in the critical infrastructure\r\nsectors. In addition to adjusting system operations, cyber actors also use the following techniques:\r\nUse access granted by desktop sharing software to perform fraudulent wire transfers.\r\nInject malicious code that allows the cyber actors to\r\nHide desktop sharing software windows,\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-042a\r\nPage 1 of 4\n\nProtect malicious files from being detected, and\r\nControl desktop sharing software startup parameters to obfuscate their activity.\r\nMove laterally across a network to increase the scope of activity.\r\nTeamViewer, a desktop sharing software, is a legitimate popular tool that has been exploited by cyber actors\r\nengaged in targeted social engineering attacks, as well as large scale, indiscriminate phishing campaigns. Desktop\r\nsharing software can also be used by employees with vindictive and/or larcenous motivations against employers.\r\nBeyond its legitimate uses, when proper security measures aren’t followed, remote access tools may be used to\r\nexercise remote control over computer systems and drop files onto victim computers, making it functionally\r\nsimilar to Remote Access Trojans (RATs). TeamViewer’s legitimate use, however, makes anomalous activity less\r\nsuspicious to end users and system administrators compared to RATs.\r\nWindows 7 End of Life\r\nOn January 14, 2020, Microsoft ended support for the Windows 7 operating system, which includes security\r\nupdates and technical support unless certain customers purchased an Extended Security Update (ESU) plan. The\r\nESU plan is paid per-device and available for Windows 7 Professional and Enterprise versions, with an increasing\r\nprice the longer a customer continues use. Microsoft will only offer the ESU plan until January 2023. Continued\r\nuse of Windows 7 increases the risk of cyber actor exploitation of a computer system.\r\nCyber actors continue to find entry points into legacy Windows operating systems and leverage Remote Desktop\r\nProtocol (RDP) exploits. Microsoft released an emergency patch for its older operating systems, including\r\nWindows 7, after an information security researcher discovered an RDP vulnerability in May 2019. Since the end\r\nof July 2019, malicious RDP activity has increased with the development of a working commercial exploit for the\r\nvulnerability. Cyber actors often use misconfigured or improperly secured RDP access controls to conduct\r\ncyberattacks. The xDedic Marketplace, taken down by law enforcement in 2019, flourished by compromising\r\nRDP vulnerabilities around the world.\r\nMitigations\r\nGeneral Recommendations\r\nThe following cyber hygiene measures may help protect against the aforementioned scheme:\r\nUpdate to the latest version of the operating system (e.g., Windows 10).\r\nUse multiple-factor authentication.\r\nUse strong passwords to protect Remote Desktop Protocol (RDP) credentials.\r\nEnsure anti-virus, spam filters, and firewalls are up to date, properly configured, and secure.\r\nAudit network configurations and isolate computer systems that cannot be updated.\r\nAudit your network for systems using RDP, closing unused RDP ports, applying multiple-factor\r\nauthentication wherever possible, and logging RDP login attempts.\r\nAudit logs for all remote connection protocols.\r\nTrain users to identify and report attempts at social engineering.\r\nIdentify and suspend access of users exhibiting unusual activity.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-042a\r\nPage 2 of 4\n\nWater and Wastewater Systems Security Recommendations\r\nThe following physical security measures serve as additional protective measures:\r\nInstall independent cyber-physical safety systems. These are systems that physically prevent dangerous\r\nconditions from occurring if the control system is compromised by a threat actor.\r\nExamples of cyber-physical safety system controls include:\r\nSize of the chemical pump\r\nSize of the chemical reservoir\r\nGearing on valves\r\nPressure switches, etc.\r\nThe benefit of these types of controls in the water sector is that smaller systems, with limited cybersecurity\r\ncapability, can assess their system from a worst-case scenario. The operators can take physical steps to limit the\r\ndamage. If, for example, cyber actors gain control of a sodium hydroxide pump, they will be unable to raise the\r\npH to dangerous levels.\r\nRemote Control Software Recommendations\r\nFor a more secured implementation of TeamViewer software:\r\nDo not use unattended access features, such as “Start TeamViewer with Windows” and “Grant easy\r\naccess.”\r\nConfigure TeamViewer service to “manual start,” so that the application and associated background\r\nservices are stopped when not in use.\r\nSet random passwords to generate 10-character alphanumeric passwords.\r\nIf using personal passwords, utilize complex rotating passwords of varying lengths. Note: TeamViewer\r\nallows users to change connection passwords for each new session. If an end user chooses this option,\r\nnever save connection passwords as an option as they can be leveraged for persistence.\r\nWhen configuring access control for a host, utilize custom settings to tier the access a remote party may\r\nattempt to acquire.\r\nRequire remote party to receive confirmation from the host to gain any access other than “view only.”\r\nDoing so will ensure that, if an unauthorized party is able to connect via TeamViewer, they will only see a\r\nlocked screen and will not have keyboard control.\r\nUtilize the ‘Block and Allow’ list which enables a user to control which other organizational users of\r\nTeamViewer may request access to the system. This list can also be used to block users suspected of\r\nunauthorized access.\r\nContact Information\r\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact\r\nyour local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855)\r\n292-3937 or by e-mail at CyWatch@fbi.gov or your local WMD Coordinator. When available, please include\r\nthe following information regarding the incident: date, time, and location of the incident; type of activity; number\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-042a\r\nPage 3 of 4\n\nof people affected; type of equipment used for the activity; the name of the submitting company or organization;\r\nand a designated point of contact.\r\nTo request incident response resources or technical assistance related to these threats, contact CISA at\r\nCentral@cisa.dhs.gov .\r\nRevisions\r\nFebruary 11, 2021: Initial Version|February 12, 2021: Update to PDF File\r\nSource: https://www.cisa.gov/uscert/ncas/alerts/aa21-042a\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa21-042a\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa21-042a" ], "report_names": [ "aa21-042a" ], "threat_actors": [ { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0", "created_at": "2023-01-06T13:46:38.667954Z", "updated_at": "2026-04-10T02:00:03.061447Z", "deleted_at": null, "main_name": "APT4", "aliases": [ "PLA Navy", "MAVERICK PANDA", "BRONZE EDISON", "SODIUM", "Salmon Typhoon" ], "source_name": "MISPGALAXY:APT4", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337", "created_at": "2022-10-25T16:07:23.318008Z", "updated_at": "2026-04-10T02:00:04.539063Z", "deleted_at": null, "main_name": "APT 4", "aliases": [ "APT 4", "Bronze Edison", "Maverick Panda", "Salmon Typhoo", "Sodium", "Sykipot", "TG-0623", "Wisp Team" ], "source_name": "ETDA:APT 4", "tools": [ "Getkys", "Sykipot", "Wkysol", "XMRig" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439019, "ts_updated_at": 1775826731, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5268f0845353fe585fa675bf0372a4055664f140.pdf", "text": "https://archive.orkl.eu/5268f0845353fe585fa675bf0372a4055664f140.txt", "img": "https://archive.orkl.eu/5268f0845353fe585fa675bf0372a4055664f140.jpg" } }