The Massachusetts Department of Environmental Protection said: "All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system."
New FBI alert on Oldsmar water treatment plant hack warns industry partners to be careful with remote desktop software and end-of-life Windows versions. pic.twitter.com/2f3mNMcbkj— Eric Geller (@ericgeller) February 10, 2021
Microsoft announced the end of support for Windows 7 on 14 January last year.
"Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed," the Massachusetts advisory added.
Gualtieri said on the second occasion, the attacker was in the system for about five minutes and changed the sodium hydroxide concentration from 100 parts per million to 11,100ppm.
Nothing wrong with using Yahoo! for SSO (though is MFA comes by rotary phone?), but there area some notable SSO providers missing there if you're doing SSO.— Jake Williams (@MalwareJake) February 9, 2021
Also, in January they're still displaying the office hours for the July 4th holiday.
I'm not shaming anyone here. 2/ pic.twitter.com/alfGC3gcCx
The Massachusetts advisory said the attackers had accessed the plant twice, about five hours apart and were able to operate the supervisory control and data acquisition system used by the plant.
"The unidentified actors accessed the water treatment plant’s SCADA controls via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process," the advisory said.
Like I think a lot of people were surprised the Oldsmar facility uses programs to let others remote in, but this should give you a sense of how big its staff is. pic.twitter.com/FVAe0tMpSJ— Kevin Collier (@kevincollier) February 9, 2021
The Associated Press quoted Lesley Carhart, the principal incident responder at Dragos, a security firm that specialises in dealing with the security of industrial control systems, as saying: "In the industry, we were all expecting this to happen. We have known for a long time that municipal water utilities are extremely under-funded and under-resourced, and that makes them a soft target for cyber attacks.
“I deal with a lot of municipal water utilities for small, medium and large-sized cities. And in a lot of cases, all of them have a very small IT staff. Some of them have no dedicated security staff at all."