In January, a Texas town was hit with a suspected cyber attack on its water system that has been linked to Russian hackers claiming to be backed by the Kremlin. This attack, if confirmed, would be the first-ever disruption of a US drinking water system by hackers from Russia. Similar attacks have been carried out by Iran and China in the past.
Muleshoe, a small community of 5,000 residents located in the Texas Panhandle, was the target of the attack. The hackers, known as the Cyber Army of Russia Reborn (CARR), posted a video on Telegram showcasing their ability to remotely access and manipulate the town’s water control systems. The group also posted a message in Russian, stating that they were “starting another raid on the USA” and “there are a couple of critical infrastructure objects, namely water supply systems.”
Despite the group claiming responsibility for the hack, it is still unclear what effects the manipulation of the water control systems had. Local officials have acknowledged the cyber attack and confirmed some form of disruption, with the city manager of Muleshoe revealing in a public meeting that the attack caused the town’s water tower to overflow for almost an hour. Other nearby towns, such as Abernathy, Hale Center, and Lockney, also reported being affected, with their well systems seen in the interface shown on the Telegram screen recording.
In response to the attack, all three towns disabled the software overseeing their utilities to prevent further exploitation. However, officials insisted that service to customers was never explicitly interrupted. For residents of Muleshoe, the effects of the attack were more noticeable as thousands of gallons of fresh water were seen going to waste when the water tower overflowed.
The FBI is currently investigating the hacking activity, and a seasoned cybersecurity specialist from Google-owned Mandiant has confirmed that the attack was carried out by CARR, also known as Sandworm. This group has previously targeted Ukrainian organizations and government agencies and is also responsible for various other attacks, including the brief power outage during the 2018 South Korean Olympics, and the 2017 French Elections.
The group, now calling itself CARR, has been linked to the Russian intelligence agency GRU. The State Department has issued multimillion-dollar bounties for the capture of those associated with the group, and they have been previously charged for hacking the Chornobyl safety system in 2017. The KGB replacement, which remained in place after the collapse of the Soviet Union, has also been framed as members of the group.
John Hultquist, chief analyst at Mandiant, believes that this attack could heighten tensions between the United States and Russia, as well as show the group’s shift towards targeting American infrastructure. He also noted that the hackers have been using social media accounts to post Ukrainian government data stolen by Sandworm.
This attack in Texas comes after a warning from the Biden administration that intelligence indicated new state-sponsored cyber attacks were forthcoming. Additionally, National Security Advisor Jake Sullivan and Environmental Protection Agency Administrator Michael Regan have recently warned that “disabling cyberattacks are striking water and wastewater systems throughout the United States.”
This warning was specifically directed at Iranian and Chinese hackers, citing a case in which hackers supported by the Iranian Revolutionary Guards disabled a controller at a water facility in Pennsylvania.
The leaked documents also reveal the sinister global cyberwarfare strategy of Vladimir Putin’s Russia. The files show how a company with links to the Russian intelligence service has aided the Kremlin’s agenda by attacking digital enemies. It is clear from these developments that cyber-attacks are becoming an increasing threat to critical infrastructure and must be taken seriously by government officials and organizations responsible for protecting these systems. The investigation into the January attack on the Texas water system is ongoing, and it is crucial that measures are put in place to prevent similar attacks in the future.
