Cyber Incident Victim: St. Johns River Water Management District
Date:
Nov 2023
Location:
United States of America
Summary
The St. Johns River Water Management District, a Florida regulatory agency overseeing regional drinking water supply, confirmed a cyberattack involving suspicious IT activity, prompting containment measures while maintaining normal operations. A ransomware group later claimed responsibility, providing samples of stolen data, though the agency does not directly control water utility technology. The incident occurred amid broader federal warnings about foreign state-affiliated hackers targeting water sector infrastructure, including attacks on industrial control systems linked to Iranian groups. The District emphasized ongoing network monitoring to prevent persistent threats but declined further comment pending investigation completion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The St. Johns River Water Management District (SJRWMD), a Florida regulatory agency responsible for overseeing the region’s long-term drinking water supply, confirmed it responded to a cyberattack detected in late October 2023. Agency personnel identified suspicious activity within its information technology environment during the final week of October, prompting an immediate investigation and containment measures. A spokesperson stated these containment efforts were successfully implemented, preventing further malicious persistence within the network. The District maintained normal business operations throughout the incident while continuously monitoring its IT systems for any signs of ongoing compromise. On October 27, 2023, a ransomware gang publicly claimed responsibility for the attack, providing samples of data allegedly stolen from SJRWMD’s systems. The cybercriminals did not disclose the total volume or specific nature of the exfiltrated data. SJRWMD clarified that its operational role focuses on water conservation education, setting water use regulations, environmental research, data collection, and ecosystem restoration rather than direct control over water utility infrastructure. The agency emphasized its investigation remained ongoing and declined further comment until its completion, citing the need to preserve the integrity of the process. No disruptions to public water services or District operations were reported as a direct result of the incident.
This incident occurred amid heightened federal warnings about cyberattacks targeting U.S. water utilities, particularly those involving Unitronics programmable logic controllers (PLCs). On November 26, 2023, a water utility in Pennsylvania reported a cyber incident linked to the exploitation of Unitronics PLCs, followed by operational disruptions at a North Texas water utility serving two million people. The Cybersecurity and Infrastructure Security Agency (CISA), collaborating with the FBI, NSA, EPA, and Israel’s National Cyber Directorate, attributed these attacks to “CyberAv3ngers,” a group affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). U.S. authorities confirmed the IRGC-affiliated hackers compromised default credentials in Israeli-made Unitronics devices since at least November 22, defacing interfaces and rendering some PLCs inoperative while threatening deeper network access. The attackers explicitly targeted Israeli-linked infrastructure, including at least 10 water treatment plants in Israel, and promoted their activities via Telegram. CISA noted approximately 539 Unitronics PLC instances remained publicly exposed globally as of December 2, 2023, highlighting persistent vulnerabilities. While SJRWMD’s incident involved a separate ransomware claim unrelated to the IRGC campaign, it underscored broader sector-wide risks as federal agencies urged heightened vigilance across critical water infrastructure operators.