DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

North Texas Municipal Water District hit by ransomware attack

Posted on November 28, 2023 by Dissent

The Municipal Water Authority of Aliquippa in Pennsylvania recently reported a cyberattack that appeared to be by an Iranian-backed group, “Cyber Av3ngers” that shut down technology involved in the drinking water supply to Raccoon and Potter townships. But Aliquippa wasn’t the only water authority to recently experience a cyberattack. The Daixin ransomware team added the North Texas Municipal Water District (NTMWD) to their leak site yesterday. The listing simply provided a filelist, a claim that Daixin had acquired  33,844 files, and a note that the full leak “WILL BE SOON.”

Daixin provided DataBreaches with some additional details about the incident, beginning with their claim that they locked 300-400 of NTMWD’s servers on November 11. A “PHONE SERVICE INTERRUPTION” announcement dated November 12 on the water district’s website seems to confirm that something happened on November 11:

The North Texas Municipal Water District (NTMWD) is currently experiencing an interruption in our phone service. Please use this temporary number to reach us:  469-875-9815.

We will update this alert when the phone service has been restored.

Thank you.

There has been no update since then.

Unlike the Aliquippa incident that produced some service disruption, Daixin made a point of telling DataBreaches, “We have not destroyed technical equipment and water supply has not been stopped.”

Given that NTMWD  provides essential water, wastewater, and solid waste disposal services to 2 million residents across 10 counties in the North Texas region, the attack could potentially have created an emergency. DataBreaches asked Daixin whether they could have stopped the water supply or how much more damage they could have done if they had been so inclined.

“We didn’t see their water supply equipment. Maybe we didn’t look hard enough,” their spokesperson responded, adding, “I don’t know if the water supply was damaged, but if it was, it wasn’t completely. If the water supply stopped completely, the locals would make them pay us.”

DataBreaches asked if more damage wasn’t done because the attack was detected and they were kicked out. To the contrary, they claimed, “We checked the encryption quality of the servers, some overloaded for verification. We had plenty of time. After that, we just left.”

From the filelist and the water district’s statement to DataBreaches (reproduced below in this article), it appears that Daixin got the business system but not the core water supply system itself.

According to Daixin, the water district did negotiate with them, with a representative showing up in chat on November 12.  Over the course of the negotiations, they were given proof that Daixin had their data. “Apparently they used a non-professional data-recovery company,” Daixin commented.

DataBreaches asked them why they made that comment.

“They were stalling for time, clearly trying to restore systems on their own,” the spokesperson replied. “They were unable to provide sample data for test decryption to us – as the servers were not booting up [or so the negotiator allegedly told them]. In this case, there are only two options:  they tried to restore everything themselves and destroyed the servers with their attempts, or they lied to us about the servers not booting up. In the end, their servers are irrevocably destroyed by ineptitude (or they are lying).”

The negotiations reportedly ended on November 22. After Daixin gave the water district an extension on time that they requested, the water district’s representative never came back to the chat.

Daixin’s spokesperson says their recommendation to Texas residents is to “check your water bill carefully.” When DataBreaches asked why, the reply was a terse, “billing software.”

North Texas Municipal Water District Responds

DataBreaches reached out to NTMWD with questions about the incident based on a review of the filelist and Daixin’s claims.

One of DataBreaches’ questions was whether NTMWD had current and usable backups of the files and systems Daixin locked.  They did not answer that directly. Nor did they answer a question asking them to confirm or deny that Daixin had locked more than 300 servers. And they didn’t answer questions about whether NTMWD’s negotiator had claimed that its servers were irrevocably destroyed, and if they had claimed it, was it true or just a stall? They did answer some questions, however. The following statement was sent to DataBreaches by Alex Johnson, Director of Communications for the North Texas Municipal Water District:

The North Texas Municipal Water District (NTMWD) recently detected a cybersecurity incident affecting our business computer network. Most of our business network has been restored. Our core water, wastewater, and solid waste services to our Member Cities and Customers have not been impacted by this incident, and we continue to provide those services as usual.

Our phone system was also affected by this incident, and we hope to have it back online this week.

NTMWD has engaged third-party forensic specialists who are actively investigating the extent of any unauthorized activity. The investigation is ongoing at this time and includes a review of any potentially impacted District data.

NTMWD has notified law enforcement and will update our Member Cities, Customers, and other stakeholders with additional information about the incident, as appropriate.

Because the filelist provided by Daixin did not indicate that a lot of resident data or employee data might be involved, DataBreaches asked both Daixin and NTMWD whether residents’ personal information had been acquired.  Daixin responded, “We have a lot of internal documents, but we don’t have the data of all the residents.”

That two water supply authorities have recently been hit is concerning. These two incidents did not create any full-blown emergency, but it seems almost inevitable that someone will go there.

Related posts:

  • Another hospital hit by ransomware: Columbus Regional Healthcare System in North Carolina hit by Daixin
  • OakBend Medical Center hit by ransomware; Daixin Team claims responsibility
  • Exclusive: Daixin Team claims responsibility for attacks affecting Canadian hospitals, starts leaking data
  • Acadian Ambulance hit by ransomware attack; Daixin claims info on 10 million patients stolen
Category: Breach IncidentsGovernment SectorMalwareU.S.

Post navigation

← U.K.: Hospitals urged to improve data protection standards following incident at NHS Fife
Japan space agency hit with cyberattack, rocket and satellite info not accessed →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hunters International to provide free decryptors for all victims as they shut down (1)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case
  • Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen
  • Hacker with ‘political agenda’ stole data from Columbia, university says
  • Keymous+ Hacker Group Claims Responsibility for Over 700 Global DDoS Attacks
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • DOJ investigates ex-ransomware negotiator over extortion kickbacks
  • Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
  • One in Five Law Firms Hit by Cyberattacks Over Past 12 Months
  • U.S. Sanctions Russian Bulletproof Hosting Provider for Supporting Cybercriminals Behind Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute
  • Wisconsin Supreme Court’s Liberal Majority Strikes Down 176-Year-Old Abortion Ban

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.