DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

North Texas Municipal Water District hit by ransomware attack

Posted on November 28, 2023 by Dissent

The Municipal Water Authority of Aliquippa in Pennsylvania recently reported a cyberattack that appeared to be by an Iranian-backed group, “Cyber Av3ngers” that shut down technology involved in the drinking water supply to Raccoon and Potter townships. But Aliquippa wasn’t the only water authority to recently experience a cyberattack. The Daixin ransomware team added the North Texas Municipal Water District (NTMWD) to their leak site yesterday. The listing simply provided a filelist, a claim that Daixin had acquired  33,844 files, and a note that the full leak “WILL BE SOON.”

Daixin provided DataBreaches with some additional details about the incident, beginning with their claim that they locked 300-400 of NTMWD’s servers on November 11. A “PHONE SERVICE INTERRUPTION” announcement dated November 12 on the water district’s website seems to confirm that something happened on November 11:

The North Texas Municipal Water District (NTMWD) is currently experiencing an interruption in our phone service. Please use this temporary number to reach us:  469-875-9815.

We will update this alert when the phone service has been restored.

Thank you.

There has been no update since then.

Unlike the Aliquippa incident that produced some service disruption, Daixin made a point of telling DataBreaches, “We have not destroyed technical equipment and water supply has not been stopped.”

Given that NTMWD  provides essential water, wastewater, and solid waste disposal services to 2 million residents across 10 counties in the North Texas region, the attack could potentially have created an emergency. DataBreaches asked Daixin whether they could have stopped the water supply or how much more damage they could have done if they had been so inclined.

“We didn’t see their water supply equipment. Maybe we didn’t look hard enough,” their spokesperson responded, adding, “I don’t know if the water supply was damaged, but if it was, it wasn’t completely. If the water supply stopped completely, the locals would make them pay us.”

DataBreaches asked if more damage wasn’t done because the attack was detected and they were kicked out. To the contrary, they claimed, “We checked the encryption quality of the servers, some overloaded for verification. We had plenty of time. After that, we just left.”

From the filelist and the water district’s statement to DataBreaches (reproduced below in this article), it appears that Daixin got the business system but not the core water supply system itself.

According to Daixin, the water district did negotiate with them, with a representative showing up in chat on November 12.  Over the course of the negotiations, they were given proof that Daixin had their data. “Apparently they used a non-professional data-recovery company,” Daixin commented.

DataBreaches asked them why they made that comment.

“They were stalling for time, clearly trying to restore systems on their own,” the spokesperson replied. “They were unable to provide sample data for test decryption to us – as the servers were not booting up [or so the negotiator allegedly told them]. In this case, there are only two options:  they tried to restore everything themselves and destroyed the servers with their attempts, or they lied to us about the servers not booting up. In the end, their servers are irrevocably destroyed by ineptitude (or they are lying).”

The negotiations reportedly ended on November 22. After Daixin gave the water district an extension on time that they requested, the water district’s representative never came back to the chat.

Daixin’s spokesperson says their recommendation to Texas residents is to “check your water bill carefully.” When DataBreaches asked why, the reply was a terse, “billing software.”

North Texas Municipal Water District Responds

DataBreaches reached out to NTMWD with questions about the incident based on a review of the filelist and Daixin’s claims.

One of DataBreaches’ questions was whether NTMWD had current and usable backups of the files and systems Daixin locked.  They did not answer that directly. Nor did they answer a question asking them to confirm or deny that Daixin had locked more than 300 servers. And they didn’t answer questions about whether NTMWD’s negotiator had claimed that its servers were irrevocably destroyed, and if they had claimed it, was it true or just a stall? They did answer some questions, however. The following statement was sent to DataBreaches by Alex Johnson, Director of Communications for the North Texas Municipal Water District:

The North Texas Municipal Water District (NTMWD) recently detected a cybersecurity incident affecting our business computer network. Most of our business network has been restored. Our core water, wastewater, and solid waste services to our Member Cities and Customers have not been impacted by this incident, and we continue to provide those services as usual.

Our phone system was also affected by this incident, and we hope to have it back online this week.

NTMWD has engaged third-party forensic specialists who are actively investigating the extent of any unauthorized activity. The investigation is ongoing at this time and includes a review of any potentially impacted District data.

NTMWD has notified law enforcement and will update our Member Cities, Customers, and other stakeholders with additional information about the incident, as appropriate.

Because the filelist provided by Daixin did not indicate that a lot of resident data or employee data might be involved, DataBreaches asked both Daixin and NTMWD whether residents’ personal information had been acquired.  Daixin responded, “We have a lot of internal documents, but we don’t have the data of all the residents.”

That two water supply authorities have recently been hit is concerning. These two incidents did not create any full-blown emergency, but it seems almost inevitable that someone will go there.

Category: Breach IncidentsGovernment SectorMalwareU.S.

Post navigation

← U.K.: Hospitals urged to improve data protection standards following incident at NHS Fife
Japan space agency hit with cyberattack, rocket and satellite info not accessed →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware
  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.