{
	"id": "386e29f5-8c99-4fcd-aabd-98efc7364a85",
	"created_at": "2026-04-06T15:53:24.421416Z",
	"updated_at": "2026-04-10T03:30:47.820275Z",
	"deleted_at": null,
	"sha1_hash": "f4da7300223f5fcbd0c57c0e181d2c90d50d60fb",
	"title": "Recommendations Following the Oldsmar Water Treatment Facility Cyber Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54495,
	"plain_text": "Recommendations Following the Oldsmar Water Treatment\r\nFacility Cyber Attack\r\nBy Ben Miller\r\nPublished: 2021-02-09 · Archived: 2026-04-06 15:38:03 UTC\r\nToday a press conference was held by the City of Oldsmar where they disclosed ‘the unlawful intrusion of the\r\nCity of Oldsmar’s water treatment system.’ The City of Oldsmar should be commended on their transparent\r\nbriefing and level of detail. The case is evolving and details are ongoing but this blog is intended to share what’s\r\nknown currently with some defensive recommendations.\r\nDetails of What Happened\r\nIt has been publicly acknowledged that an operator machine had a remote access software package– TeamViewer-installed and accessible to the Internet. This led to manipulation of control set points for the dosing rate of Sodium\r\nHydroxide (NaOH) into the water. NaOH is a chemical often used in drinking water treatment used to adjust pH\r\nand alkalinity. Although an important component of the drinking water treatment process, NaOH can be a\r\nhazardous chemical to water consumers if concentrations exist in excess of safe operating parameters.\r\nTypically, water systems are engineered with many safeguards to keep parameters within acceptable limits not the\r\nleast of which is trained and licensed drinking water treatment operators. In this incident, the adversary raised the\r\nNaOH dose setpoint from its normal setting of 100 parts-per-million (ppm) to 11,100ppm, thereby temporarily\r\nincreasing the amount of chemical being added to the water. It was reported that the water treatment operator on\r\nduty observed the mouse moving on the operating screen, making changes, and then exiting the system. It was\r\nalso reported that the operator identified the incident and restored the normal operating parameters fast enough so\r\nthat pH monitoring alarms did not detect a level beyond acceptable parameters.\r\nHad the operator not observed the attacker actively manipulating the screen, it is possible that several other\r\nmechanisms in the water treatment plant control and monitoring system would have alerted plant staff to the\r\ncondition. However, it is also entirely possible that this action could have resulted in people getting sick or\r\npotentially even death. The control systems in modern water treatment plants use process instrumentation that\r\ncontinuously monitor water quality parameters (e.g. pH) to carefully control the addition of chemicals and provide\r\nreal-time alerts when those parameters go outside acceptable limits; these critical parameters are typically\r\nmonitored at multiple points throughout the treatment process and in the transmission and distribution systems.\r\nHowever, even these safeguards are not adversary proof. As with all critical industrial processes, Dragos\r\nrecommends that organizations proactively monitor for several key events within their control systems including\r\nchanges to setpoints of critical process parameters, changes to control logic, and disabling capabilities for remote\r\nedits to process control logic by default. Additionally, organizations should consider utilizing distinct safety\r\nsystems, isolated from the control network, to prevent incidents that could result in harm to personnel or the\r\npopulations dependent on their service.\r\nhttps://www.dragos.com/blog/industry-news/recommendations-following-the-oldsmar-water-treatment-facility-cyber-attack/\r\nPage 1 of 3\n\nWhat Is TeamViewer?\r\nTeamViewer is a legitimate software package that is directly installed on a Windows host that allows for easy\r\nconnectivity from anywhere. Its ease of use has allowed it to increasingly be used in industrial environments and,\r\nwhile legitimate software, may be unauthorized or rogue software.\r\nRemote access to industrial facilities can be architected safely. But the best architecture can also be circumvented\r\nwith unapproved software such as TeamViewer. This is where visibility into what software, vulnerabilities, and\r\nbehaviors are necessary in your industrial environments.\r\nIf you don’t have OT visibility software (such as the Dragos Platform) you can manually assess if TeamViewer is\r\nin your environment.\r\nTeamViewer, by default, uses both TCP/5938 and UDP/5938 ports to establish connections with TeamViewer. If\r\nthose are blocked by a firewall or other perimeter system TeamViewer falls back to TCP/443 and then TCP/80\r\n(commonly used for HTTPS and HTTP traffic). These connections are managed by TeamViewer’s cloud\r\nenvironment and will resolve hosts going to *.teamviewer.com (The Dragos team looks for the specific hosts\r\nmasterN.teamviewer.com, pingN.teamviewer.com, or server.teamviewer.com where N is a one- or double-digit\r\nnumber such as master9.teamviewer.com or router15.teamviewer.com).\r\nManually identify software installed on hosts, particularly those critical to the industrial environment such\r\nas operator workstations- such as TeamViewer or VNC. Accessing this on a host-by-host basis may not be\r\npractical but it is comprehensive.\r\nBeyond host data, there are a variety of network traffic sources to help identify TeamViewer. Most\r\nenvironments are not configured where centralized logging is occurring and can be a manual process. We\r\nrecommend:\r\nUse DNS logging to identify outbound DNS resolution to *.teamviewer.com\r\nEncrypted communications to teamviewer.com will have a X509 certificate for *.teamviewer.com\r\nUse perimeter logging or other network logging to identify external communications via TCP/5938\r\nand UDP/5938.\r\nTalk to the operations staff or IT staff at the site to determine if other remote software tools such as\r\nvirtual private networks are used. If so, perform searches for those tools and where possible utilize\r\nmulti-factor authentication on remote connections.\r\nFrom a prevention perspective, blocking these communications, and all egress communications that are not\r\nexplicitly approved, will prevent remote access solutions like TeamViewer. However, ensure that you talk\r\nwith plant personnel before doing this and after blocking any connections be available to reverse the\r\nchanges if something was necessary that they did not know about.\r\nArchitecting Secure Remote Access for OT/ICS\r\nIn March of 2020, in recognition of the early days of the global pandemic, we released a blog focusing on secure\r\nremote access titled A Matter of Trust: Remote Access for ICS. All of the recommendations in that post still apply\r\ntoday and are relevant:\r\nhttps://www.dragos.com/blog/industry-news/recommendations-following-the-oldsmar-water-treatment-facility-cyber-attack/\r\nPage 2 of 3\n\nEngineering and OT teams should evaluate what systems can leverage remote access.\r\nRemote access requirements should be determined, including what IP addresses, what communication\r\ntypes, and what processes can be monitored. All others should be disabled by default. Remote access\r\nincluding process control should be limited as much as possible.\r\nUser-initiated access should require multi-factor authentication from the Internet to a DMZ with a\r\ndedicated jump host for ICS-specific communications. This system should leverage its own identity and\r\naccess management system.\r\nFrom the DMZ, after authentication, user-initiated remote access should follow a trusted path to the\r\nindustrial control system—where the user will authenticate again, this time using the local identity and\r\naccess management solution for the industrial control system.\r\nAll remote access communications should be logged and monitored. Various detection techniques could be\r\nimplemented on remote access systems, like looking for brute force attempts or specific exploits for known\r\nvulnerabilities—but only if logging and monitoring is used.\r\nBen Miller is Chief Information Security Officer (CISO) at Dragos, Inc. He leads a team of cybersecurity experts\r\ncharged with protecting the company’s technology environments, maintaining security vigilance of the company’s\r\nproduct and service offerings, and providing subject matter expertise to partners and clients.\r\nSource: https://www.dragos.com/blog/industry-news/recommendations-following-the-oldsmar-water-treatment-facility-cyber-attack/\r\nhttps://www.dragos.com/blog/industry-news/recommendations-following-the-oldsmar-water-treatment-facility-cyber-attack/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.dragos.com/blog/industry-news/recommendations-following-the-oldsmar-water-treatment-facility-cyber-attack/"
	],
	"report_names": [
		"recommendations-following-the-oldsmar-water-treatment-facility-cyber-attack"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d",
			"created_at": "2024-05-01T02:03:07.943593Z",
			"updated_at": "2026-04-10T02:00:03.795229Z",
			"deleted_at": null,
			"main_name": "BRONZE EDISON",
			"aliases": [
				"APT4 ",
				"DarkSeoul",
				"Maverick Panda ",
				"Salmon Typhoon ",
				"Sodium ",
				"Sykipot ",
				"TG-0623 ",
				"getkys"
			],
			"source_name": "Secureworks:BRONZE EDISON",
			"tools": [
				"Gh0st RAT",
				"Wkysol",
				"ZxPortMap"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0",
			"created_at": "2023-01-06T13:46:38.667954Z",
			"updated_at": "2026-04-10T02:00:03.061447Z",
			"deleted_at": null,
			"main_name": "APT4",
			"aliases": [
				"PLA Navy",
				"MAVERICK PANDA",
				"BRONZE EDISON",
				"SODIUM",
				"Salmon Typhoon"
			],
			"source_name": "MISPGALAXY:APT4",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337",
			"created_at": "2022-10-25T16:07:23.318008Z",
			"updated_at": "2026-04-10T02:00:04.539063Z",
			"deleted_at": null,
			"main_name": "APT 4",
			"aliases": [
				"APT 4",
				"Bronze Edison",
				"Maverick Panda",
				"Salmon Typhoo",
				"Sodium",
				"Sykipot",
				"TG-0623",
				"Wisp Team"
			],
			"source_name": "ETDA:APT 4",
			"tools": [
				"Getkys",
				"Sykipot",
				"Wkysol",
				"XMRig"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775490804,
	"ts_updated_at": 1775791847,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f4da7300223f5fcbd0c57c0e181d2c90d50d60fb.pdf",
		"text": "https://archive.orkl.eu/f4da7300223f5fcbd0c57c0e181d2c90d50d60fb.txt",
		"img": "https://archive.orkl.eu/f4da7300223f5fcbd0c57c0e181d2c90d50d60fb.jpg"
	}
}