Tiny Texas City Repels Russia-Tied Hackers Eyeing Water System

Hackers, potentially linked to nation-states like Russia, Iran, and China, targeted water utilities in remote Texas communities.

Bloomberg News

April 19, 2024

5 Min Read
a hand clicking a computer mouse in a dark room
Bloomberg

(Bloomberg) -- When Mike Cypert got the call that utilities in remote Texas communities were being hacked, he raced across his office to unplug the computer that ran his city’s water system.

Hale Center is a dusty, cotton-growing burg of 2,000 about five hours drive northwest of Dallas. After the alert from a software vendor in January, Cypert, the city manager, said he found thousands of attempts to breach Hale Center’s firewall, some coming from an internet address that traced back to St. Petersburg, Russia.

Within minutes of the discovery, Cypert said he reported the episode to agents from the FBI and US Department of Homeland Security, who were already looking into related incidents in nearby Texas towns. One of the hacks caused a water tank in another city to overflow.

The attacks in Texas are the latest example of hackers — some of them tied to US adversaries — targeting America’s sprawling network of water utilities. In November, an Iranian-backed group attacked Israeli-made digital controls commonly used in the water and wastewater industries in the US, affecting organizations across several states. That same month, the North Texas Municipal Water District, which supplies water to more than 2 million customers, was the victim of a ransomware attacks.

Related:Top Tips for Cybersecurity Tabletop Exercises and Simulations

Chinese state-sponsored hackers also attacked a water utility in Hawaii, the Washington Post reported in December.

“The water sector is poorly resourced and is under siege from three fronts. This is now Iran, China and Russia,” said John Hultquist, chief analyst at Mandiant Intelligence. 

A spokesperson for the FBI declined to comment. The Department of Homeland Security didn’t immediately respond to a request for comment.

Researchers at Mandiant, a unit of Google Cloud, found potential connections between the attacks on water utilities in Texas and one of Russia’s most notorious hacking groups, known as Sandworm. The group has been accused of repeatedly turning out the lights in Ukraine and hacking the 2018 Olympic Opening Games in South Korea. The US government says it is part of Russia’s military spy agency, but the ties between Sandworm and the Texas attacks are less than certain. “We’ve never seen them cross the line in the US like this before,” Hultquist said.

Among the other victims of the recent hacks was the city of Muleshoe, a 5,000-person community in northwest Texas. A resident called the city on January 18 to report a water tank overflowing. City staff found that they’d largely lost control of the system, took it offline and called the company that provides Muleshoe’s industrial control software, City Manager Ramon Sanchez said at a public meeting the next month that was covered by the Plainview Herald. The vendor told city officials that other area communities were seeing similar problems, Sanchez said at the meeting.

Sanchez didn’t respond to messages seeking comment. 

That same day, a social media account called “CyberArmyofRussia_Reborn” posted a video that appears to show hackers manipulating Muleshoe’s industrial control system. Mandiant and other cybersecurity researchers believe Sandworm created and control CyberArmyofRussia_Reborn, which Hultquist described as a hacktivist persona. It’s possible that other cyber attackers are using its platforms, he said.

Andy Bennett, the chief technology officer of cybersecurity firm Apollo Information Systems, said there are various reasons why hackers might target small-town water systems. They could provide a “testing ground” for hacking tools intended for bigger targets, he said, or give foreign countries a way to scare Americans. 

“Small-town America feels safe,” said Bennett, a former cybersecurity official for the state of Texas,“and if the water supply is in jeopardy, it undoes that.”

US intelligence officials are still debating whether Sandworm was involved in the Texas water utility breaches, according to people familiar with the situation who didn’t want to be named due to the sensitivities.

The Russian Embassy in Washington declined to comment. 

US officials are especially worried about attacks by nation-state hackers on critical sectors of the US economy, like defense, dams, energy, financial services and water systems. Last year, the Environmental Protection Agency dropped plans to require states to assess water facilities’ cyber defenses. Republican lawmakers in three states called the oversight illegal, accusing the EPA of overreach. The White House said it would work with Congress to beef up the environmental watchdog’s authority.

The attacks on Texas utilities targeted at least two other communities. In Abernathy, hackers entered through a virtual network connection, but city staff caught them within 30 seconds and cut off the attackers as they were trying to change passwords, City Manager Donald Provost told Bloomberg News. Lockney’s city manager, Buster Poling, Jr., said his staff also caught the attack early and that it “really did not affect the city.”

Hale Center’s Cypert said he learned that other towns had been attacked when the city’s industrial control software vendor called telling them to “lock down.” Hale Center uses the same vendor as Muleshoe and a handful of other area communities, he said. 

When the warning came in, Cypert said he rushed to unplug the ethernet cable from the computer that operates the water system. Hale Center wasn’t breached, but Cypert said in reviewing its security, the city’s IT contractor found what appeared to be a brute force attempt to crack Hale Center’s firewall — 37,000 tries in four days.

The attempts on Hale Center’s firewall came from IP addresses around the world but one was repeated over and over, Cypert said. The investigation traced it back to St. Petersburg and the city’s industrial control vendor, Morgeson Consulting in Lubbock, quickly got Cypert on a conference call with FBI agents already investigating the Muleshoe attack, he said. 

Morgeson Consulting’s owner didn’t immediately respond to an email seeking comment.

Cypert said he later sent the FBI data from the attempts on its firewall. The city’s IT contractor, Ben Warren, also walked the investigators through some of the technical details, he said. The agents were impressed by Warren’s technical acumen and offered the city manager a piece of advice, Cypert recalled.

“Hang on to him,” they said, referring to Warren.

About the Author

Bloomberg News

The latest technology news from Bloomberg.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like