Experts warn Iran could be behind the Florida water supply cyber-hack

Iran could be behind a recent cyber hack of a small town in Florida’s water supply that occurred last week, warned several intelligence and law enforcement officials who spoke to this reporter. The situation in the city of Oldsmar, Florida could have been far worse, according to Sheriff Bob Gualtieri of Pinellas County, who verified that the sodium hydroxide in the system was brought to extremely harmful and even deadly levels. The attack was conducted by a hacker remotely, he told reporters on Monday.

 “It’s a bad act. It’s a bad actor. It’s not just a little chlorine, or a little fluoride — you’re basically talking about lye,” Gualtieri said told reporters on Monday.

The small town hack, however, may have come from the world’s largest sponsor of terrorism: Iran. What’s more is that the regime was reportedly behind a similar attack on Israel’s water supply last year, per Fox News’ Trey Yingst. Its actions would certainly be an escalation in the regime’s rhetoric, which has threatened on multiple occasions to annihilate both the United States and Israel.

According to Dr. Rick Kiper, a retired FBI agent and computer forensic examiner, there’s a number of ways the intelligence community can trace such hacks to foreign sources. It is accomplished through what are known as “Indicators of Compromise” (IOCs).

“The Indicators of Compromise are basically pieces of digital evidence that reveal the tactics that hackers use to get into systems. Hackers, like the rest of us, can be kind of set in their ways,” Kiper told this reporter. “So even hackers have patterns that they use over and over again because they don’t want to reinvent the wheel each time. If they have a tactic that’s worked before, they’ll use it again.”

Another sign could be the IP addresses hackers use, he added, noting that the FBI has a public list of IOCs for Iran on the voting systems. For example, the hackers can use a technique called SQL injection to access a backend database of a website. Hackers can then use this to download website databases.

Iran has employed both such tactics, according to Kiper. “That’s basically what investigators are going to be looking for in order to identify who committed this intrusion – what actually happened and how do those actions actually match up to the known indicators of compromise,” he explained.

Sometimes, however, a hacker may use an IP address or a tactic that is associated with a completely different country in order to hide his identity. “They could put on the persona of either another hacker group or another particular hacker because there are Indicators of Compromise for specific groups, there’s Indicators of Compromise for countries, as well as for state actors, and then individuals.”

Kiper added, “However, we always like to say we catch the dumb ones, and a lot of times they won’t go through that effort, especially if they’re trying to get into a bunch of systems.”

One example of compromise, Kiper said, can be accomplished via remote access to SCADA, Supervisory control, and data acquisition systems that remotely manage utility equipment such as valves, electrical grids, etc.

“So a lot of utilities use a SCADA system because they don’t have to send workers out to turn valves and make direct connections, or actually to go read meters…. but of course, when you create convenience like that, you’re opening yourself up to security vulnerabilities and that’s exactly what happened.”

He concluded, “Indicators of Compromise are collected and shared. So if someone is hacked, they’re really encouraged to share exactly how they were compromised. But a lot of companies, they have shareholders, or they have maybe the chief information security officer, maybe his job is on the line and he really doesn’t want to put it out there publicly that they were hacked, but it really helps the entire community when people share that information.”

Foundation for Defense of Democracies Iran expert Behnam Ben Taleblu told this reporter Wednesday that the recent hack exposes a greater national security loophole that needs to be addressed by both sides of the political aisle.

“The recent hack of Florida’s water supply raises the issue of securing U.S. critical infrastructure from cyber and other malicious hacking activity,” Ben Taleblu said. “Securing American critical infrastructure should be a multi-year bipartisan policy proposition. In this regard, the best defense really is defense.”

He continued, “While Iran has not officially been proven to be the culprit, the clerical regime did attack Israel’s water supply in 2020 using cyber means. In the past, it has also attempted to hack American banks, casinos, and critical water-related infrastructure like dams.”

“Iran sees the cyber domain as one of several vectors to continue carrying out its strategic competition with adversaries. Doing damage to their critical infrastructure through cyber means is one way to land punches and not get caught. For a regime like Iran’s which also uses terrorism, these moves are consistent with its national security strategy. And that’s why it, if proven to be linked to Iran – will require a response.”

According to Israeli reporter Amichai Stein, Israel has joined the investigation into the Florida water supply hack and the Israel National Security Cyber Directorate “is in touch” with U.S. counterparts.

Thanks to local authorities, the poisonous water never actually made its way into local homes. However, the source of the hack is still being investigated.

The Pinellas County Sheriff’s Office denied having any contact with Israeli officials over the hacking and suggested the FBI or U.S. Secret Service may have more information regarding the query, in a statement to this reporter.

A U.S. Secret Service and FBI both declined to comment.

Follow Jennie Taer on Twitter @JennieSTaer

Share: