Recent investigations into the hacking incident at the Oldsmar water treatment plant in Florida uncovered that a U.S. infrastructure contractor inadvertently hosted malicious code on its website, a scenario recognized as a watering hole attack. This breach targeted a select group of water utilities, particularly in Florida, and notably, the site was accessed by a browser from Oldsmar on the same day the poisoning event occurred.
According to Dragos researcher Kent Backman, the compromised website belonged to a Florida-based contractor involved in water and wastewater management, and while it hosted the malicious code, there was no direct link to the intrusion itself. The aim of such attacks typically revolves around compromising specific user groups by infecting websites frequented by them, thereby enabling adversaries to infect systems with malware.
In this case, however, the malicious injected code did not deploy exploit mechanisms aimed at infiltrating systems directly. Instead, it acted as an enumeration and fingerprinting script, gathering extensive data about visitors, such as their operating systems, browsers and plugins, input methods, device features, and geographic locations.
This collected data was then exfiltrated to a database hosted on Heroku, specifically at bdatac.herokuapp[.]com, which has since been taken down. Dragos suspects that a vulnerable WordPress plugin may have been exploited to introduce the script into the site’s code, further complicating the cybersecurity landscape.
Over a 58-day period, starting from December 20, 2020, the infected site garnered traffic from over 1,000 different user computers before the malicious activity was neutralized on February 16, 2021. Visitors included not only municipal water utilities and government agencies, but also private companies within the water sector, alongside typical bot and crawler traffic.
Backman suggested that the watering hole was likely employed to collect genuine browser data, enhancing the capacity for botnet malware to mimic legitimate browsing behavior. Notably, telemetry data indicated that one of these visits originated from a computer within the City of Oldsmar network on February 5, coinciding with an attempted breach that increased sodium hydroxide levels in the water supply through unauthorized access to the SCADA system at the treatment plant.
This attack was effectively halted by an operator who identified the manipulation in real-time, allowing for the restoration of safe chemical concentration levels. Reports indicate that the unauthorized access was facilitated through TeamViewer remote desktop software, which had been installed on one of the plant’s systems connected to its controls.
The Oldsmar incident, along with the Colonial Pipeline ransomware attack, has sparked intensified concerns regarding the security of industrial control systems that underpin critical infrastructure. In response, the U.S. government is implementing measures to enhance cyber defenses, improve information sharing between federal authorities and private sector entities, and bolster protections across federal networks.
Backman emphasized that this incident represents an exposure risk for the entire water industry, highlighting the necessity for controlling access to untrusted websites, especially within Operational Technology and Industrial Control System environments. The techniques observed in this incident, including initial access techniques and browser fingerprinting, align with the MITRE ATT&CK framework, which categorizes such tactics employed by adversaries in modern cyberattacks.
