Confusion Center: Feds Now Say Hacker Didn’t Destroy Water Pump

A report from an Illinois intelligence fusion center saying that a water utility was hacked cannot be substantiated, according to an announcement released Tuesday by the Department of Homeland Security.

Additionally, the department disputes assertions in the fusion center report that an infrastructure-control software vendor was hacked prior to the water utility intrusion in order to obtain user names and passwords to break into the utility company and destroy a water pump.

The DHS notice, released late Tuesday, asserts that information released by the Illinois Statewide Terrorism and Intelligence Center earlier this month about the water pump was based on raw and unconfirmed data, implying that it should never have been made public.

But Joe Weiss, a control system expert who first reported the information from the fusion report, is skeptical of the new claim by the government that the report was all wrong.

“This smells to high holy heaven, because when you look at the Illinois report, nowhere was the word preliminary ever used,” Weiss said, noting that the fusion center — which is composed of Illinois state police, as well as representatives from the FBI and DHS — distributed the report to other critical infrastructure facilities in that state. “It was just laying out facts. How do the facts all of a sudden all fall apart?”

On Nov. 10 the Illinois fusion center released a report titled “Public Water District Cyber Intrusion” disclosing that someone had hacked into an unidentified water utility company, taken control of its Supervisory Control and Data Acquisition System (SCADA) and turned it on and off repeatedly, resulting in the burnout of a water pump.

The facility, later identified by reporters as the Curran-Gardner Township Public Water District, discovered the breach on Nov. 8. According to the unusually detailed fusion report, forensic evidence indicated that the hackers might have been in the system as early as September, and that they launched their attack from IP addresses based in Russia.

The report also asserted that the intruders gained access to the utility’s SCADA system by first hacking into the network of a software vendor that makes the SCADA system used by the utility. The hackers stole usernames and passwords that the vendor maintained for its customers, and then used those credentials to gain remote access to the utility’s network.

“It is unknown, at this time, the number of SCADA usernames and passwords acquired from the software company’s database and if any additional SCADA systems have been attacked as a result of this theft,” the report stated, according to Weiss, managing partner of Applied Control Solutions, who obtained a copy of the document and read it to reporters last week.

The fusion report also indicated that the hack into the utility system shared a similarity to a recent hack into an MIT server last June that was used to launch attacks on other systems. In both cases, the intrusions involved PHPMyAdmin, a front-end tool used to manage databases. The MIT server was used to search for systems that were using vulnerable versions of PHPMyAdmin that could then be attacked. In the case of the water utility in Illinois, the fusion report said that the company’s log files contained references to PHPMyAdmin, but didn’t elaborate.

But now the federal government says the fusion center was confused.

After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.

There is no evidence to support claims made in the initial Fusion Center report — which was based on raw, unconfirmed data and subsequently leaked to the media — that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported.

Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.

Efforts to obtain comment from the fusion center in Illinois were unsuccessful. An analyst at the center said the center had no one in place to speak with reporters and referred inquiries to the FBI office in Springfield, Illinois. But FBI spokesman Bradley Ware said he could not speak for the fusion center, and referred calls back to the center. A second analyst at the center said he would pass questions to Master Sergeant Kelly Walter, who did not respond to the inquiry from Threat Level.

Weiss expressed frustration over the conflicting reports.

“There’s a lot of black and white stuff in that report,” he said. “Either there is or there isn’t a Russian IP address in there. It’s hard to miss that. This stuff about the vendor being hacked…. How can two government agencies be so at odds at what’s going on here? Did the fusion center screw up, or is the fusion center being thrown under the bus?”

Photo: Darwin70 / Flickr