Cyber Incident Victim: Onslow Water and Sewer Authority
Date:
Oct 2018
Location:
United States of America
Summary
A North Carolina water utility experienced a sophisticated ransomware attack following a hurricane, targeting its internal computer systems including servers and personal machines, resulting in limited operational capabilities. The incident began with Emotet malware infections, which later deployed Ryuk ransomware in a targeted escalation, causing significant disruption to internal infrastructure. While customer data, environmental safety, and water supply remained uncompromised, the organization faced extensive database reconstruction efforts to restore full functionality. External security experts collaborated with internal IT teams to mitigate the attack, which leveraged Emotet's polymorphic banking Trojan capabilities to deliver the highly damaging Ryuk strain exclusively used for tailored intrusions rather than broad spam distribution.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 4, 2018, the Onslow Water and Sewer Authority (ONWASA) in North Carolina detected persistent cyberattacks targeting its internal computer systems in the aftermath of Hurricane Florence. The initial intrusion involved Emotet, a polymorphic malware strain known for functioning as a downloader for other banking Trojans. Emotet’s presence compromised ONWASA’s servers and employee workstations, significantly limiting the utility’s computer capabilities. Despite early efforts to contain the threat, the attacks persisted, prompting ONWASA to engage external cybersecurity experts to assist its internal IT team. The situation escalated dramatically in the early hours of October 13 when the attackers deployed Ryuk ransomware, a highly targeted strain known for tailored attacks rather than broad spam distribution. Ryuk, while technically less sophisticated than some ransomware variants, caused extensive operational disruption by encrypting critical systems.
ONWASA confirmed no compromise of customer data, environmental systems, or public water supply integrity during the incident. However, the ransomware attack necessitated the complete reconstruction of multiple databases, indicating substantial recovery efforts. The utility’s reliance on combined internal and external response teams helped mitigate further spread, though operational impacts persisted due to the system-wide encryption and data loss. US-CERT had previously identified Emotet as one of the most costly and destructive malware strains affecting state and local governments, aligning with ONWASA’s experience of prolonged system incapacitation. The dual-phase attack—beginning with Emotet’s infiltration and culminating in Ryuk’s deployment—highlighted the attackers’ persistence and the challenge of defending critical infrastructure amid disaster recovery operations following Hurricane Florence.