Cyber Incident Victim: Limestone Sewage Treatment Plant

The ransomware attack on the Limestone Sewer District occurred on July 4, 2021, targeting a control computer at the sewage treatment facility in northern Maine. Hackers deployed ransomware that forced the shutdown of the operational system, which ran on an outdated Windows 7 operating system already scheduled for replacement. While the attackers failed to compromise customer data or cause direct physical harm, the computer failure disabled critical alarm systems designed to alert staff about equipment malfunctions. These alarms monitored conditions such as pump overheating and tank overfill levels, creating potential operational risks during the outage. Superintendent Jim Leighton confirmed no ransom payment was made to the threat actors. The timing of the attack during a national holiday raised concerns about threat actors exploiting periods of reduced staffing.

The incident highlighted vulnerabilities in rural infrastructure, as the obsolete Windows 7 system lacked modern security protections. Following the attack, the district proceeded with plans to replace the compromised computer, accelerating what was already an overdue hardware upgrade. Although the ransomware caused temporary operational disruptions, it served as a catalyst for improved cybersecurity awareness across Aroostook County’s water and sewage districts. Neighboring facilities reviewed and strengthened their computer security measures in response to the Limestone incident. The attack demonstrated how even non-critical system compromises could create secondary operational challenges through the loss of monitoring capabilities. No data exfiltration or environmental damage occurred, but the event underscored the need for continuous system updates in small municipal operations.