Cyber Incident Victim: North Texas Municipal Water District
Date:
Nov 2023
Location:
United States of America
Summary
The North Texas Municipal Water District experienced a cyberattack impacting its business computer network and phone systems, causing operational disruptions. While core water, wastewater, and solid waste services remained unaffected, the Daixin Team ransomware group claimed responsibility, alleging theft of over 33,000 customer files. The district restored most business network functions, engaged forensic specialists for investigation, notified law enforcement, and worked to restore phone services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In November 2023, the North Texas Municipal Water District (NTMWD), a utility serving approximately two million people across more than 13 cities including Plano and Frisco, detected a cybersecurity incident impacting its business computer network. The organization, employing over 850 people and providing wholesale water, wastewater, and solid waste management services, confirmed the attack caused operational issues. NTMWD's Director of Communications, Alex Johnson, stated that while the business network was affected, the core water, wastewater, and solid waste services delivered to Member Cities and Customers remained fully operational and were not impacted by the incident. The attack significantly disrupted NTMWD's phone system, leaving it offline. The utility acknowledged engaging third-party forensic specialists to investigate the extent of any unauthorized activity, including a review of potentially impacted District data, with the investigation ongoing at the time of reporting. Law enforcement agencies were notified about the incident.
The ransomware group known as Daixin Team claimed responsibility for the attack against NTMWD, listing the utility as a victim on its website and asserting it had stolen over 33,000 files containing customer information. NTMWD had initially alerted customers to phone line disruptions on November 12th, a notice that remained active on their website following the attack disclosure. This incident occurred shortly after a cyberattack targeted a Pennsylvania water authority. Daixin Team, active since June 2022, had previously caused significant disruption, notably to Oakbend Medical Center in Richmond, Texas, in September 2022, requiring weeks of recovery after compromising phone lines and patient record systems; the group also attacked Fitzgibbon Hospital in Missouri and Ista International in Germany. The article notes that ransomware gangs frequently target water utilities as critical infrastructure entities perceived as likely to pay ransoms to restore essential services, referencing U.S. law enforcement data indicating attacks on five water and wastewater facilities between 2019 and 2021, excluding three other widely reported incidents. NTMWD anticipated restoring its phone system within the same week the incident was reported.