Cyber sabotage in California: Water in the city was in the hands of a hacker
The fired worker turned off the water treatment system for the entire city.
Rambler Gallo, a resident of Tracy, California, has been charged with maliciously damaging a computer after it allegedly infiltrated the network of a Discovery Bay water treatment plant.
The treatment plant serves water and sewer systems for 15,000 residents of the city of Discovery Bay. Gallo was an employee of a private Massachusetts company (Company A) that contracted with Discovery Bay to operate the city’s wastewater treatment plant.
According to a press release issued by the US Department of Justice, Gallo deliberately removed the main operating and monitoring system for the refinery and then shut down the servers that ran those systems.
“The indictment alleges that, as an employee of Company A, Gallo installed software on his personal computer and on Company A’s private intranet that allowed him to remotely access the computer network of the Discovery Bay water treatment plant. Then, in January 2021, after Gallo left Company A, he allegedly accessed the station’s computer system remotely and gave the command to remove the software that was the main node of the station’s computer network and that protected the entire water treatment system, including pressure, filtration and chemical composition of water,” the Ministry of Justice said in a statement.
“Gallo’s indictment charges one charge of transmitting a program, information, code, and command to damage a protected computer, pursuant to 18 USC §§ 1030(a)(5)(A) and ©(4)(B)(i). ”
Gallo faces up to 10 years in prison and a $250,000 fine, and the court can order additional supervised time, additional fines and damages if appropriate.
In March 2023, the Biden administration announced that it would make it mandatory for states to conduct cybersecurity audits of public water systems.
Water systems are a critical infrastructure that is increasingly at risk of cyberattacks from both cybercriminal organizations and actor states, the US Environmental Protection Agency said. In June 2021, a report published by NBC News reported that attackers attempted to compromise an unknown water treatment plant that serves the San Francisco Bay, the attack occurred on January 15th. The hackers gained access to systems at the station using a former employee’s TeamViewer account and attempted to manipulate the software used to purify drinking water.
In February 2021, the Sheriff of Pinellas reported that attackers attempted to increase sodium hydroxide levels 100 times in Oldsmar’s water supply. The scenario described by Pinellas Sheriff Bob Gualtieri is alarming: An attacker tried to increase the level of sodium hydroxide, also known as lye, by 100 times in Oldsmar’s water supply.
In March 2021, the U.S. Department of Justice indicted Wyatt A. Travnicek, of Ellsworth County, Kansas, for accessing and tampering with the Ellsworth County rural water computer system.
Travnicek accessed the computer system of the public water supply system on March 27, 2019 without permission. Travnicek worked for Ellsworth County on the rural water supply for about a year, remotely monitoring the plan by accessing Post Rock’s computer system.
After gaining access to the public water supply, the man allegedly committed malicious acts that halted processes at the facility that affected cleaning and disinfection procedures.
In May 2021 WSSC Water has undergone a ransomware attack targeting a portion of their network that runs non-essential business systems.
In October 2021, a joint cybersecurity bulletin, published by the FBI, NSA, CISA, and the Environmental Protection Agency revealed three more ransomware gang attacks on US wastewater treatment plants (WWS) this year.
The attacks became publicly known and took place in March, July and August 2021, respectively. The three sites affected by ransomware operators are located in Nevada, Maine and California. In all of the attacks, ransomware encrypted files on infected systems, and in one of the security incidents, attackers compromised a system used to control industrial SCADA equipment.
Three incidents included in the bulletin:
- In August 2021, attackers used Ghost ransomware against a WWS facility in California. The ransomware variant was on the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
- In July 2021, cybercriminals used remote access to inject ZuCaNo ransomware into a wastewater SCADA computer at a WWS facility in Maine. The cleaning system operated manually until the SCADA computer was restored with local control and more frequent rounds of operators.
- In March 2021, cybercriminals used an unknown variant of ransomware against a WWS facility in Nevada. The ransomware affected the victim’s SCADA system and backup systems. A SCADA system provides visibility and monitoring, but is not a complete Manufacturing Control System (ICS).