The Municipal Water Authority of Aliquippa in Pennsylvania recently reported a cyberattack that appeared to be by an Iranian-backed group, “Cyber Av3ngers” that shut down technology involved in the drinking water supply to Raccoon and Potter townships. But Aliquippa wasn’t the only water authority to recently experience a cyberattack. The Daixin ransomware team added the North Texas Municipal Water District (NTMWD) to their leak site yesterday. The listing simply provided a filelist, a claim that Daixin had acquired 33,844 files, and a note that the full leak “WILL BE SOON.”
Daixin provided DataBreaches with some additional details about the incident, beginning with their claim that they locked 300-400 of NTMWD’s servers on November 11. A “PHONE SERVICE INTERRUPTION” announcement dated November 12 on the water district’s website seems to confirm that something happened on November 11:
The North Texas Municipal Water District (NTMWD) is currently experiencing an interruption in our phone service. Please use this temporary number to reach us: 469-875-9815.
We will update this alert when the phone service has been restored.
Thank you.
There has been no update since then.
Unlike the Aliquippa incident that produced some service disruption, Daixin made a point of telling DataBreaches, “We have not destroyed technical equipment and water supply has not been stopped.”
Given that NTMWD provides essential water, wastewater, and solid waste disposal services to 2 million residents across 10 counties in the North Texas region, the attack could potentially have created an emergency. DataBreaches asked Daixin whether they could have stopped the water supply or how much more damage they could have done if they had been so inclined.
“We didn’t see their water supply equipment. Maybe we didn’t look hard enough,” their spokesperson responded, adding, “I don’t know if the water supply was damaged, but if it was, it wasn’t completely. If the water supply stopped completely, the locals would make them pay us.”
DataBreaches asked if more damage wasn’t done because the attack was detected and they were kicked out. To the contrary, they claimed, “We checked the encryption quality of the servers, some overloaded for verification. We had plenty of time. After that, we just left.”
From the filelist and the water district’s statement to DataBreaches (reproduced below in this article), it appears that Daixin got the business system but not the core water supply system itself.
According to Daixin, the water district did negotiate with them, with a representative showing up in chat on November 12. Over the course of the negotiations, they were given proof that Daixin had their data. “Apparently they used a non-professional data-recovery company,” Daixin commented.
DataBreaches asked them why they made that comment.
“They were stalling for time, clearly trying to restore systems on their own,” the spokesperson replied. “They were unable to provide sample data for test decryption to us – as the servers were not booting up [or so the negotiator allegedly told them]. In this case, there are only two options: they tried to restore everything themselves and destroyed the servers with their attempts, or they lied to us about the servers not booting up. In the end, their servers are irrevocably destroyed by ineptitude (or they are lying).”
The negotiations reportedly ended on November 22. After Daixin gave the water district an extension on time that they requested, the water district’s representative never came back to the chat.
Daixin’s spokesperson says their recommendation to Texas residents is to “check your water bill carefully.” When DataBreaches asked why, the reply was a terse, “billing software.”
North Texas Municipal Water District Responds
DataBreaches reached out to NTMWD with questions about the incident based on a review of the filelist and Daixin’s claims.
One of DataBreaches’ questions was whether NTMWD had current and usable backups of the files and systems Daixin locked. They did not answer that directly. Nor did they answer a question asking them to confirm or deny that Daixin had locked more than 300 servers. And they didn’t answer questions about whether NTMWD’s negotiator had claimed that its servers were irrevocably destroyed, and if they had claimed it, was it true or just a stall? They did answer some questions, however. The following statement was sent to DataBreaches by Alex Johnson, Director of Communications for the North Texas Municipal Water District:
The North Texas Municipal Water District (NTMWD) recently detected a cybersecurity incident affecting our business computer network. Most of our business network has been restored. Our core water, wastewater, and solid waste services to our Member Cities and Customers have not been impacted by this incident, and we continue to provide those services as usual.
Our phone system was also affected by this incident, and we hope to have it back online this week.
NTMWD has engaged third-party forensic specialists who are actively investigating the extent of any unauthorized activity. The investigation is ongoing at this time and includes a review of any potentially impacted District data.
NTMWD has notified law enforcement and will update our Member Cities, Customers, and other stakeholders with additional information about the incident, as appropriate.
Because the filelist provided by Daixin did not indicate that a lot of resident data or employee data might be involved, DataBreaches asked both Daixin and NTMWD whether residents’ personal information had been acquired. Daixin responded, “We have a lot of internal documents, but we don’t have the data of all the residents.”
That two water supply authorities have recently been hit is concerning. These two incidents did not create any full-blown emergency, but it seems almost inevitable that someone will go there.