shyshka - Fotolia

Florida city's water nearly poisoned in TeamViewer attack

The intruder increased the quantity of sodium hydroxide in the water from 100 parts per million to 11,100 parts per million briefly before a water plant operator fixed it.

An unknown threat actor used TeamViewer with the intent of poisoning a Florida city's water supply last week, but officials said the attempted cyber attack was stopped before it could be completed.

A water treatment plant in Oldsmar, Fla., was breached via an "unlawful intrusion" on Friday, Pinellas County Sheriff Bob Gualtieri said in a press conference Monday evening.

"Water systems, like other public utility systems, are part of the nation's critical infrastructure and can be vulnerable targets when someone decides to adversely affect public safety," Gualtieri said.

According to Gualtieri, the earliest known breach was on Friday morning at approximately 8 a.m., when a plant operator at the Oldsmar water treatment facility "noticed that someone remotely accessed the computer system that he was monitoring."

This computer system, which "controls the chemicals and other operations at the water treatment plant," had remote access software installed, Gualtieri said. Reuters first reported the software was TeamViewer, which is used to troubleshoot IT issues remotely. A Pinellas County Sheriff's Office spokesperson confirmed the software used was TeamViewer in an email to SearchSecurity.

Gualtieri said the operator noticed the initial access and did not think much of it because supervisors regularly use the software to monitor the computer system as needed. However, a second instance of remote access occurred at 1:30 p.m., during which "someone again remotely accessed the computer system and it showed up on the operator's screen with a mouse being moved about to open various software functions that control the water being treated in the system," Gualtieri said.

During the three- to five-minute attack, multiple functions were opened, he said, including a system that controls the amount of sodium hydroxide, also known as lye, in the water. The intruder increased the quantity of the chemical from 100 parts per million to 11,100 parts per million, according to officials. Sodium hydroxide has many uses, including drain cleaners; in drinking water, it is used in very small amounts to increase pH and reduce the levels of toxic metals in the water. It can become poisonous at high levels.

The intruder exited the system, and the plant's operator immediately decreased the lye to standard levels and notified their supervisor. "Because the operator noticed the increase and lowered it right away, at no time was there a significant adverse effect on the water being treated. Importantly, the public was never in danger," the sheriff said.

Gualtieri explained that had the operator not immediately changed the lye levels, it would have taken at least a full day for the water to reach the water system -- and water is checked before released. Oldsmar Mayor Eric Seidel -- who participated in the press conference alongside Gualtieri and Oldsmar City Manager Al Braithwaite -- elaborated on this, mentioning that "there are redundancies that have alarms in the system that would have caught the change in the pH level."

After, the sheriff said that "steps were then taken to prevent further remote access to the system," including, Braithwaite added, the disabling of remote access programs from the system.

The Pinellas County Sheriff's Office began a criminal investigation in collaboration with the FBI and Secret Service. According to Gualtieri, it is unknown whether the breach came from inside or outside the U.S., and there is no current understanding of why Oldsmar was targeted. He said there are several leads but currently no suspects.

Details of the attack, including what kind of TeamViewer account was used, remain unclear. SearchSecurity asked the Pinellas County Sheriff's Office if it had identified the TeamViewer account used to log into the operator's system, but it declined to comment.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

Man indicted in Kansas water facility breach

TeamViewer breached by Russian state actor Midnight Blizzard

Dig Deeper on Threats and vulnerabilities