Hackers not detected on Queensland water supplier’s server for 9 months


Hackers remained in hiding for nine months on a server containing customer information for a Queensland water supplier, demonstrating the need for better cyber defenses for critical infrastructure.

SunWater is an Australian government-owned water supplier responsible for operating 19 large dams, 80 pumping stations and 1,600-mile pipelines.

According to the annual financial audit report released yesterday by the Queensland Audit Office, SunWater was hacked for nine months, with the actors going undetected the entire time.

Even if the report does not name the entity directly, ABC Australia questioned the authority and confirmed that it was SunWater.

The breach occurred between August 2020 and May 2021, and the plaintiffs were able to access a web server used to store customer information from the water supplier.

It appears that the hackers were not interested in the exfiltration of sensitive data, as they simply installed custom malware to increase visitor traffic on an online video platform.

The audit report states that there is no evidence that the threat actors stole customer or financial information and that the vulnerability of the actors used has now been corrected.

The report points out that the actors compromised the older and more vulnerable version of the system, leaving modern and much more secure web servers intact.

Finally, the report raises the issue of the lack of adequate account security practices, such as providing users with the minimum access required to do their jobs.

Instead, SunWater had several user accounts with access to multiple systems, increasing the risk of a single point of compromise.

A widespread problem

The auditors looked at the internal controls of six water authorities in Australia and found deficiencies in three without naming them specifically.

From the absence of anti-fraud safeguards securing the financial transactions of BEC actors to the presence of numerous vulnerabilities in IT systems, the report highlighted several key issues.

In summary, the auditors found that public sector bodies have taken positive action based on last year’s recommendations, but they still need to:

  • Implement security threat detection and reporting systems
  • Enable multi-factor authentication on all publicly available external systems
  • Set a minimum password length of eight characters
  • Organize security awareness courses
  • Implement processes to identify critical security vulnerabilities

“We continue to identify several control deficiencies related to information systems. Cyber ​​attacks continue to pose a significant risk, with constant changes in the work environments of entities due to COVID-19.” – law the auditors’ report.

While a financial loss is always a dire scenario, as we saw in a 2017 attack on a UK-based water supplier who lost $ 645,000, it is not as serious as threatening public safety.

In February 2021, a hacker gained access to a water treatment system in Oldsmar, Florida and attempted to increase the concentration of caustic soda in the public distribution network.

This was a wake-up call for US authorities who have taken methodical measures to improve the security of these critical facilities, which are being targeted. more often how much the public realizes.


Please enter your comment!
Please enter your name here