Attackers hacked regional Queensland water supplier Sunwater which went undetected for nine months, the state’s Auditor General has revealed.
In a report published last week, the Auditor General was critical of security weaknesses among Queensland’s water entities and described a breach that resulted in “unauthorised access to an entity’s web server” between August 2020 and May 2021.
The result, fortunately, wasn’t a ransomware event or the theft of critical information.
Instead, the attackers used Sunwater’s network to run a view bot that directed web traffic to boost views on a YouTube video.
While the state’s audit office didn’t name the entity, the ABC soon discovered the water supplier involved in the incident: Sunwater.
A spokesperson for the company, which operates and manages 20 dams in regional Queensland, said it takes cyber security “very seriously”.
“In August 2020, unauthorised access occurred relating to an online content management system,” the spokesperson said in a statement to Information Age.
“Sunwater took immediate steps to improve system security once it became aware of the issue. No financial or customer data was accessed or compromised.”
The importance of cyber security is not lost on Queensland’s Auditor General whose only recommendation in its report into the state’s water suppliers was to shore up their systems.
“This was one of our three recommendations in [last year’s report] and has become even more important this year as several entities have introduced new systems and there has been a recent cyber breach in one of the water entities,” the Auditor General said.
“We continue to identify significant control weaknesses in the security of information systems. All entites must have strong security practices to protect against fraud or error and significant reputational damage.”
Andrew Kay, Director of Systems Engineering at cyber security firm Illumio said the attack was typical in that it saw hackers breach a vulnerable legacy system.
“Whilst no critical data was stolen in this instance, perhaps a more sophisticated bad actor would have exploited the weakness further,” he said.
“The solution to attacks like these isn't to pretend that we will be able to keep every single attack out of the network every time – it’s simply no longer possible.
“We must move towards Zero Trust strategies, segmenting crucial data (like customer details) and implementing least privilege throughout the network so that attackers face additional barriers should they find a single weakness in the perimeter.”
Even though in Sunwater’s case the damage was minimal, effects of targeted campaigns against water suppliers could be catastrophic.
In February, a hacker used an overlooked TeamViewer instance to remotely increase the sodium hydroxide in the water supply of a city in Florida by more than 100 times the normal amount.
They were thankfully stopped by an operator who witnessed the attack but it served as a warning for the potentially poisonous effects of poor cyber security in water supply systems.
Just last month, the US Cybersecurity and Infrastructure Agency published an advisory warning of ongoing threats to the country’s water and wastewater systems, including three instances where water suppliers were hit by ransomware this year alone.