A security specialist has speculated that a recent attack on the US’s largest water utility, described as a “cyber incident” in its 8-K disclosure to the SEC, was driven by ransomware.
American Water said it became aware of the incident on 3 October, after detecting a cyber incident where it identified unauthorized activity on its internal networks, and promptly activated its incident response protocols.
According to the company’s website, the utility serves drinking water and wastewater services to approximately 14 million people , across 14 states, including 18 military installations.
The filing stated that it does not believe its drinking or wastewater facilities were negatively impacted by the intrusion, adding that it has taken precautions to protect its IT systems and data.
This included disconnecting some systems, including its customer service portal, MyWater, meaning its customer billing function has been temporarily suspended.
Kevin Kirkwood, CISO at security and compliance specialist Exabeam, suggested that the shutdown was the result of a ransomware attack, noting that the disruption would have likely been far greater if the access extended to its wider control systems.
“If I had to speculate, I would say that American Water was potentially the victim of a ransomware event. The firm mentioned they shut down their billing systems, which points back to internal corporate backend systems. Given the large segment of water and wastewater treatment facilities that American Water covers, if control systems had been compromised, we’d likely be hearing about plants shutting down and advisories to boil water across states.
In a statement posted to its website, the firm reassured affected customers that there would be no late charges or services shut off while the portal system remains offline.
American Water added that it had immediately brought in third-party security experts to help with the ongoing containment and mitigation process, and is coordinating fully with law enforcement.
Threat actors continue barrage on US water utilities
Andrew Lintell, GM for EMEA at industrial cyber security specialist Claroty noted that although the access described in the filing appears to have been limited, the fallout from attacks targeting public utility companies like this can still be major, including significant damage to their public perception.
“Although American Water Works has prevented major harm by stopping direct impacts on its water facilities, the ripple effect on customer services such as billing systems and call centers shows how even partial system outages can cause vast disruption and reputational damage.”
The event is the latest in a continued barrage of attacks on US critical national infrastructure, with water facilities targeted as cyber adversaries seek to sow disruption and erode trust in the nation’s public sector.
Earlier this year, the national cyber agency CISA, alongside international partners, warned it had observed the Chinese-linked Volt Typhoon threat actor establishing and maintaining a presence in the IT environments of water companies for at least five years.
Lintell added that the attack on American Water was likely the work of a similar state-sponsored attacker and part of a wider campaign targeting OT environments in the region.
“Assuming we learn this is the work of a state actor, it would be part of a larger trend where they are increasingly targeting smaller utility companies as part of a broader strategy to infiltrate operational technology (OT) environments.
“By remaining undetected within a network, these actors can sit and wait for a future opportunity to trigger a larger event. Such efforts are part of a wider destabilization strategy aimed at sowing uncertainty and eroding trust in critical infrastructure,” he explained.
