Outdated computer system exploited in Florida water treatment plant hack

Investigators are still trying to determine who's behind the hack.

February 11, 2021, 11:40 PM

An outdated version of Windows and a weak cybersecurity network allowed hackers to access a Florida wastewater treatment plant's computer system and momentarily tamper with the water supply, federal investigators revealed in a memo obtained by ABC News.

The FBI's Cyber Division on Tuesday notified law enforcement agencies and businesses to warn them about the computer vulnerabilities, which led to the Bruce T. Haddock Water Treatment Plant in Oldsmar being hacked on Feb. 5.

The plant's computer systems were using Windows 7, which hasn't received support or updates from Microsoft in over a year, according to the FBI.

"The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security and an outdated Windows 7 operating system to compromise software used to remotely manage water treatment," investigators wrote in the report. "The actor also likely used the desktop sharing software TeamViewer to gain unauthorized access to the system."

The Bruce T. Haddock Water Treatment Plant in Oldsmar, Fla, Feb. 9, 2021. Local and federal authorities are investigating after an attempt to poison the city of Oldsmar's water supply.
Chris Urso/Tampa Bay Times via ZUMA Press

The hacker was able to use remote access software to raise the levels of sodium hydroxide in the water from about 100 parts per million to 11,100 parts per million for a few minutes, according to investigators. Sodium hydroxide is used in liquid drain cleaners and used, in small doses, to remove metals from water.

A plant manager who noticed the hack as it unfolded was able to return the system to normal before any major damage occurred, investigators said. The public was never in danger because it would have taken 24 to 36 hours for tainted water to hit the system if no one had intervened.

Pinellas County Sheriff Bob Gualtieri said a news conference today that there was an "awful intrusion" into the computer system at Oldsmar's water treatment plant, Feb 5, 2020, in Oldsmar, Fla.
Pinellas County Sheriff's Office

The FBI and other law enforcement agencies are still trying to determine who was behind the hack and any possible motives. It's unclear if the suspects were foreign or domestic, sources close to the investigation told ABC News. Investigators said they're concerned the culprit could strike again -- and the outcome could be far worse.

The FBI memo urged information technology administrators to make sure computers are up to date and that passwords are secure.

"Microsoft, the FBI, and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system," the memo said. Not doing so "presents vulnerabilities for cyber actors to exploit."

On Thursday night, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Multi-State Information Sharing center issued an alert on the water plant hack.

They said that while no real damage was done, companies and governments should to stop using Windows 7 out of an abundance of caution, as it could be compromised.

"Windows 7 will become more susceptible to exploitation due to lack of security updates and the discovery of new vulnerabilities. Microsoft and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system," the agencies wrote in the alert.

They added that the threat isn't a new one, as they've observed others using "desktop sharing software to victimize targets in a range of organizations, including those in the critical infrastructure sectors."

In the alert, the agencies also offered recommendations for internet users -- especially those who use Teamviewer, the software the water treatment plant used, which creates random passwords for login -- such as using two-factor verification and keeping logs of the people who use each system.

ABC News' Pierre Thomas, Luke Barr and Mike Levine contributed to this report.