Security News > 2021 > May > Probe Into Florida Water Plant Hack Led to Discovery of Watering Hole Attack
An investigation conducted by industrial cybersecurity firm Dragos into the recent cyberattack on the water treatment plant in Oldsmar, Florida, led to the discovery of a watering hole attack that initially appeared to be aimed at water utilities.
While investigating the incident, Dragos' threat hunters noticed that the website of a Florida water infrastructure construction company had been compromised and set up to serve as a watering hole.
This appeared to indicate that the watering hole was set up as part of a targeted attack aimed at the water sector in the U.S. Interestingly, just hours before the Oldsmar water plant was hacked, someone from the facility also accessed the watering hole.
An analysis of the code used in the watering hole attack led investigators to a cybercrime website named DarkTeam Store, which had a section that computers infected with a piece of malware named Tofsee - specifically a variant tracked by Dragos as Tesseract - would connect to.
The company also noted, "We do not understand why the adversary chose this specific Florida water construction company site to compromise and to host their code. Interestingly, and unlike other watering hole attacks, the code did not deliver exploits or attempt to achieve access to victim computers. It is possible the actor believed that the water infrastructure construction website would allow more dwell time to collect data important for the actor's objectives, than perhaps a busier but more closely monitored website with a dedicated security team."
Dragos pointed out that even though the watering hole attack did not appear to be directly aimed at the water industry, the incident does highlight the importance of controlling access to untrusted sites, particularly in the case of OT and ICS environments.