Federal leaders have warned all 50 state governors of “disabling cyberattacks” targeting water and wastewater systems nationwide reportedly being perpetrated by Iranian and Chinese state actors.
The attacks have the potential “to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities,” Michael Regan, the Environmental Protection Agency administrator, and Jake Sullivan, the assistant to the president for National Security Affairs, warned.
Their warning came months after an Iranian government-linked group targeted a water authority in Pennsylvania because it was using Israeli-made technology, and after several municipal water districts in north Texas were the victims of ransomware attacks.
The warning also came after millions of Americans’ identities were stolen last year by Russian cyber criminals whose information had been put into a MOVEit software used by federal agencies and state agencies in Louisiana and Oregon. Maryland’s Johns Hopkins University and Georgia’s statewide university system, among others, were also hit by the Russian hackers, according to multiple news reports.
However, Regan and Sullivan identified “two recent and ongoing threats” posed by Iranian and Chinese cyberattacks targeting U.S. water systems. They said, “threat actors affiliated with the Iranian Government Islamic Revolutionary Guard Corps” have carried out malicious cyberattacks against U.S. critical infrastructure entities, including drinking water systems.
“In these attacks, IRGC-affiliated cyber actors targeted and disabled a common type of operational technology used at water facilities where the facility had neglected to change a default manufacturer password,” they warned.
They also said a People’s Republic of China state-sponsored cyber group, Volt Typhoon, has compromised information technology of multiple critical infrastructure systems, including drinking water in the U.S. and U.S. territories. Its “choice of targets and pattern of behavior are not consistent with traditional cyber espionage,” they warned, adding that “Volt Typhoon actors are pre-positioning themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflicts.”
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s also published a report identifying in detail the strategies Volt Typhoon uses to target vulnerable systems, hack into them and steal information. It also offers ways for companies to prevent cyberattacks and mitigate damages.
According to a recent Congressional Research Service report, federal agencies have attributed 30% of cyberattack campaigns nationwide to actors operating on behalf of Russia, China, Iran and North Korea, and 30 to criminal actors seeking financial gain.
Among the several tactics identified in the report, North Korean agents have targeted companies using blockchain technologies; Russians have targeted defense contractors to steal weapons and vehicle research and spy on communications; Iranians have spied on and stolen data from private sector organizations and the telecommunications, defense, and energy sectors; Chinese have targeted multiple companies and academic institutions to steal intellectual property and personal information.
Ransomware, malvertising, hacks and leaks and money laundering were among the many crimes cited in the report.
Regan and Sullivan called on state governors and local government leaders to “comprehensively assess their current cybersecurity practices to identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to, and recover from a cyber incident.”
They also pointed to resources made available through the EPA, CISA, the American Water Works Association, the National Rural Water Association, and the Water Information Sharing and Analysis Center.