Russian hackers breached, sabotaged Texas water treatment plant, cyber firm says

A group with possible ties to Kremlin military hackers infiltrated a Texas water facility in January and caused a system malfunction that forced a water tank to overflow, marking a potential first-of-its-kind disruption that escalates concerns about the cyber posture of water treatment facilities in the U.S., according to an analysis out Wednesday.

The report from Google-owned Mandiant linked the activity to Sandworm, a hacking operation that’s tied to Russia’s military intelligence directorate, or GRU.

If confirmed by officials, the breach of the water facility based in Muleshoe near the Texas-New Mexico border would be the first known case where Russian hackers targeted U.S. water facilities, making it the third nation to have breached U.S. water infrastructure in the past year, as Iran and China-linked collectives have already been tied to such incidents.

Mandiant could not verify all available claims of the hack, but noted that the analysis aligns with local reporting on the incident. The research also cited screenshots appearing to show a potential Sandworm-affiliated unit calling itself CyberArmyofRussia_Reborn on Telegram manually manipulating water well control inputs.

Muleshoe’s drinking water was not affected, according to reporting from CNN, which noted that the FBI is investigating the activity. Two related hacking attempts occurred in other Texas towns, the report says.

The Sandworm operatives have mainly focused on Ukrainian targets and have escalated their attacks since Russia’s invasion some two years ago. The group is notably linked to the crippling NotPetya cyberattacks from 2017 that impacted U.S. critical infrastructure.

The Environmental Protection Agency and National Security Council last month urged states to stay alert for Iranian and Chinese cyber threats targeting water sector infrastructure. “Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” their missive to states said.

The Biden administration has been pushing to shore up protections for water treatment facilities against cyber threats, which researchers say are highly vulnerable to compromises. 

But the EPA in October rescinded a memorandum that would have directed providers to evaluate the cyber defenses of their water systems when conducting sanitation surveys, after facing legal pushback from GOP-led states and trade groups.

The activities tracked by Mandiant were also tied to water system compromises in a French dam and Polish water utilities.

Russia’s largely state-centered economy allows Moscow to easily steamroll contracts for military and intelligence operations. A major leak last year revealed the intricacies of this relationship, showing a vast network of military consultants working on behalf of the Kremlin, including Sandworm.

“We also judge [Sandworm] to present a significant proliferation risk for new cyber attack concepts and methods,” the Mandiant readout said. “Continued advancements and in-the-wild use of the group’s information technology (IT) and OT cyber attack capabilities have also likely lowered the barrier of entry for other state and non-state actors to replicate and develop their own cyber attack programs,” it adds.