Cyber Incident Victim: Muleshoe, Texas, USA (Bailey County)
Date:
Jan 2024
Location:
United States of America
Summary
A Russia-linked hacking group suspected of ties to the GRU's Sandworm unit conducted a cyberattack on a Texas water facility, causing a tank to overflow temporarily before operators switched to manual controls. The incident in Muleshoe coincided with suspicious cyber activity detected in two nearby towns, where hackers attempted but failed to breach water system networks. Mandiant analysts linked the attack to a persona named "CyberArmyofRussia_Reborn," which previously disseminated GRU-affiliated content, though definitive attribution remains unclear. While drinking water remained unaffected, the intrusion exploited internet-accessible industrial control systems, highlighting vulnerabilities in critical infrastructure. The hackers publicly claimed responsibility via Telegram, showcasing manipulated valve operations, consistent with Sandworm's pattern of exaggerating disruptive impacts for psychological effect.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In January 2024, a cyberattack disrupted operations at a water facility in Muleshoe, Texas, a town of approximately 5,000 residents in Bailey County. Hackers breached a remote login system controlling industrial software interfacing with a water tank, causing it to overflow for 30 to 45 minutes. City Manager Ramon Sanchez confirmed the intrusion prompted officials to take the compromised industrial machine offline, switch to manual operations, replace the hacked software system, and implement additional network security measures. Concurrently, at least two nearby towns—Lockney and Hale Center—detected suspicious cyber activity on their networks. Lockney’s City Manager Buster Poling reported anomalous behavior on the town’s SCADA (Supervisory Control and Data Acquisition) system, which manages water plant operations, while Hale Center’s City Manager Mike Cypert stated hackers attempted unsuccessfully to breach the town’s firewall, leading to the disabling of remote SCADA access. Poling believed foreign actors targeted Lockney’s water wells but caused no operational impact due to early detection. The FBI investigated the incidents, though no agency comments were disclosed.
Cybersecurity firm Mandiant later linked the Muleshoe attack to a Telegram channel operated by “CyberArmyofRussia_Reborn,” a persona associated with Sandworm, a Russian GRU military intelligence unit known for disruptive operations in Ukraine. On January 18, coinciding with the Muleshoe intrusion, the group posted a video on Telegram purportedly showing manipulation of the town’s water valves. Mandiant analysts noted Sandworm’s history of exaggerating hack impacts for psychological effect but could not conclusively attribute the attack to GRU or independent actors using the same persona. The incidents did not compromise drinking water safety but highlighted vulnerabilities in U.S. water infrastructure, which National Security Advisor Jake Sullivan and EPA Administrator Michael Regan had recently warned about in a joint letter urging enhanced cyber defenses. The EPA had rescinded a proposed cybersecurity rule for water systems in October 2023 following legal challenges, a move Deputy National Security Advisor Anne Neuberger stated could have mitigated such attacks. Investigations remained ongoing, with the EPA coordinating support for Texas while declining detailed comment.