Cyber Incident Victim: Kemuri Water Company
Date:
Mar 2016
Location:
United States of America
Summary
Hackers compromised a water utility's control system by exploiting login credentials stored on an internet-connected web server, gaining access to an ageing AS/400 system that managed programmable logic controllers regulating water treatment chemicals and flow. The threat actors manipulated application settings during multiple unauthorized sessions, altering chemical levels in the water supply and disrupting treatment processes, though operational recovery was achieved promptly through alert-triggered reversals. The breach also exposed personal data of 2.5 million customers without evidence of misuse, while forensic analysis attributed the intrusion to a hacktivist group lacking apparent intent or technical understanding to cause significant physical damage, highlighting systemic vulnerabilities in outdated critical infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March 2016, the Kemuri Water Company (KWC), a pseudonym used by Verizon in its breach report, experienced a cyberattack compromising its operational control systems. Hackers affiliated with a Syria-linked 'hacktivist' group infiltrated KWC’s aging AS/400-based control system by exploiting login credentials stored on an internet-connected front-end web server. This system managed programmable logic controllers (PLCs) regulating valves, ducts, and chemical treatments for water supplies. Forensic analysis by Verizon’s RISK Team revealed four unauthorized connections to the AS/400 system over a 60-day period preceding their assessment. During these sessions, attackers interfaced with valve and flow control applications, modifying settings despite limited understanding of the system’s operational logic. On at least two occasions, they altered chemical levels in the water supply, impairing treatment processes and increasing recovery times for water replenishment. KWC’s alert systems detected these changes, enabling rapid reversal of chemical adjustments and minimizing customer impact. No physical harm or prolonged service disruption occurred due to the attackers’ apparent lack of SCADA expertise or malicious intent.
Verizon’s investigation confirmed the breach exposed personal data of 2.5 million customers, though no evidence suggested monetization or fraudulent use. The attackers’ primary access vector—credentials stored on a web server—highlighted systemic vulnerabilities, including reliance on a single AS/400 for critical IT and operational technology functions. While the hacktivists manipulated chemical valves, their actions caused no lasting damage, and KWC contained the incident without external intervention. The breach underscored insecure configurations in critical infrastructure, particularly outdated internet-connected systems. Verizon’s report did not identify a clear motive but noted the attackers’ limited technical proficiency. KWC’s incident response relied on existing alert mechanisms to mitigate operational impacts, though data exposure remained a residual consequence. The event exemplified risks associated with under-resourced infrastructure and unpatched systems, aligning with broader patterns of opportunistic attacks on industrial control environments.