Ransomware gangs targeted 3 different US water treatment plants this year in previously unreported attacks, according to federal agencies

Waste water treatment facility
Workers look over wastewater from coal ash as it is aerated in a treatment facility outside Dominion Powers Bremo Bluff power plant in Bremo Bluff, Va., Tuesday, April 26, 2016. Steve Helber/AP
  • Three US water treatment plants were hit with ransomware attacks this year, according to a new report.
  • The previously unreported incidents came after a widely publicized attack on a Florida plant.
  • Ransomware is on the rise globally, and attacks on public infrastructure could put lives at risk.

Ransomware gangs attacked even more water treatment plants across the US than previously known, according to a new report.

Water plants in Nevada, Maine, and California were all hit with ransomware in 2021 – and all three incidents went unreported until Thursday, when the attacks were disclosed in a joint advisory published by the Cybersecurity and Infrastructure Security Agency, the FBI, the NSA, and the Environmental Protection Agency.

The cyberattacks on water treatment plants come amid a broader rise in ransomware shaking public and private organizations across the US. Ransomware attacks, in which cybercriminals deploy malicious code that locks up an organizations’ computer systems until they agree to pay a ransom, could cost victims $US20 ($AU27) billion this year.

In all three attacks, cybercriminals took over the water treatment plants’ supervisory control and data acquisition systems, also known as SCADA, which lets administrators remotely monitor the facilities. In addition to the three attacks in 2021, a similar ransomware attack hit a New Jersey facility in 2020.

The previously undisclosed attacks came after a highly publicized hack of an Oldsmar, Florida, water treatment plant. In that incident, the hacker tried to raise the amount of sodium hydroxide in the water by 11,000%, which authorities said could have put residents in danger – but a different employee who noticed the change immediately reversed it before drinking water was affected.

Ransomware is being treated with growing urgency by law enforcement and the cybersecurity community as criminals bring in record profits from ransom victims. Ransomware attacks grew 435% last year, according to the security startup Deep Instinct. Cybercriminals gangs took down the networks of 560 healthcare facilities, 1,681 schools and colleges, and more than 1,300 companies, according to the security firm Emsisoft.

The White House convened a meeting earlier this week with leaders from 31 countries to discuss a coordinated approach to stopping ransomware across the globe.

Experts say beating ransomware groups will depend on stopping the flow of cash from victims to criminals, either by enforcing bans on ransom payments or by more heavily regulating cryptocurrency used in most ransomware transactions.

The federal advisory published Thursday warned water treatment plant administrators to be on the lookout for suspicious activity on their networks and to take steps to prevent fraudulent logins, including activing multifactor authentication on all devices that remotely access facilities.