Cyber Incident Victim: California Water and Wastewater System
Date:
Aug 2021
Location:
United States of America
Summary
A cyber incident targeting the California Water and Wastewater System involved threat actors employing spearphishing, exploitation of outdated infrastructure, and insecure remote access to compromise both IT and operational technology networks. The attack methods included ransomware deployment and insider threats, posing risks to critical operational continuity and physical safety systems. Malicious activities aimed to disrupt water treatment and distribution processes, leveraging vulnerabilities in control system devices and insufficient network segmentation. The sector faced potential service interruptions and unauthorized access to sensitive industrial control environments, highlighting systemic cybersecurity challenges in maintaining resilient infrastructure against evolving adversarial tactics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between 2019 and 2021, malicious cyber actors conducted a series of attacks targeting U.S. Water and Wastewater Systems (WWS) Sector facilities, including entities in California. These incidents involved threat actors employing spearphishing campaigns, exploiting outdated operating systems and software vulnerabilities, and leveraging insecure remote access configurations to infiltrate both IT and operational technology (OT) networks. Attackers deployed ransomware to encrypt critical data and disrupt system operations, while insider threats posed additional risks through unauthorized access or intentional sabotage. The compromise of network credentials via phishing allowed adversaries to move laterally within victim environments, escalating privileges to gain control over supervisory control and data acquisition (SCADA) systems and programmable logic controllers (PLCs). Facilities experienced attempted manipulation of water treatment processes, though specific operational disruptions were not detailed in available reports. The attacks highlighted systemic vulnerabilities in legacy control system devices and unpatched firmware widely used across the sector.
The coordinated advisory documented these incidents to emphasize observed attacker tactics, techniques, and procedures (TTPs), urging immediate defensive actions. Affected organizations implemented enhanced monitoring for anomalous network traffic and unauthorized configuration changes to water treatment equipment. Response measures included isolating compromised IT systems from OT networks through segmentation and enforcing multi-factor authentication (MFA) for remote access points. Facilities conducted audits of user privileges and disabled unused accounts to mitigate insider threats. Backup restoration procedures were activated following ransomware encryption events, though data loss specifics remained undisclosed. No confirmed physical damage to water infrastructure or public health impacts were formally attributed to these attacks. The incidents underscored dependencies on interconnected IT/OT systems and the necessity of maintaining cyber-physical safety mechanisms to prevent manipulation of chemical treatment levels or flow controls. Federal agencies collaborated with sector partners to disseminate threat indicators and mitigation strategies during this campaign.