The public learned this week of an alarming cybersecurity incident that could have physically harmed people: Someone managed to access a system that controlled a Florida city’s water treatment plant, temporarily adjusting sodium hydroxide levels to amounts that could have made the population sick had the chemicals been introduced into the water supply. While city officials caught the action and reversed it within minutes, further reporting has shown the plant had an austere cybersecurity profile that is sadly familiar for public-sector organizations: use of outdated operating systems, disregard for best practices, and lack of a budget to support any real upgrade or staff additions.

The actors in the cybercriminal underground understand that profile fits thousands of enterprises around the world, which gives them a rich target to set their sights on. Within the last year, Intel 471 has seen financially-motivated actors attempt to sell access to SCADA systems tied to water treatment plants. In May 2020, we observed a likely Iranian actor attempt to sell access to a U.S. “hydroelectric power plant.” Further investigation found that what the actor was actually advertising was access to a water treatment plant in Florida, via a virtual network computing (VNC) permission that granted system access to a “Groundwater Recovery & Treatment System.” Additionally, one screenshot showed levels and controls for a sodium hydroxide pump.

To be clear: Although Intel 471 could not definitively confirm or deny a link between the access offered by the actor and the Oldsmar, Florida incident, there was no information that directly tied the two events together at the time this report was published.

The actor shared this information in a Telegram channel that is known for cyberattacks and account cracking. It’s the same channel that has been tied to a December 2020 incident where actors allegedly had access to an unprotected human-machine interface (HMI) system at an Israeli water reservoir.

Although threat actors do not often openly discuss this type of activity, there are those who seek to target ICS or SCADA systems in order to build credibility in the cybercriminal underground. Actors with even a rudimentary understanding of how to use Shodan, a search engine designed to find internet-connected systems, or where to find stolen or default credentials can obtain access to industrial control systems that could lead to incidents like what happened in Oldsmar, Florida.

Internet-connected systems like those that power critical infrastructure sectors are not regarded as a primary target for financially-motivated criminals. However, actors are always refining their methods to find a way to make as much money as possible and boost their reputation and notoriety in the cybercrime ecosystem. Given the wide amount of poorly-guarded systems connected to the internet, it is not without reason to suggest it’s only a matter of time before someone on the cybercriminal underground turns ICS system access to a lucrative pipeline.