Dragos has finally been able to publicly release its findings from a prior Advisory Alert on February 17, 2021 to customers informing them of the watering hole potentially targeting water utilities along with defensive guidance and indicators. Members may recall the March 24, 2021 Cyber Threat Briefing and previous (TLP:AMBER) Action Recommended: Strategic Web Compromise (Watering Hole Attack) Impacts Water Sector post (provided in the Security & Resilience Update for February 18, 2021) highlighting Dragos’ research on a watering hole website (strategic web compromise) with tangential correlation to the Oldsmar Water Treatment Plant incident. While adversary goal and intent are still unknown regarding the watering hole and further investigation reveals a “less ominous threat,” Dragos reiterates several elements that initially precipitated a pause for concern for water utilities, specifically:

• Florida-focused watering hole
• Temporal correlation to Oldsmar event
• Highly encoded and sophisticated JavaScript
• Few code locations on the internet
• Known ICS-targeting activity groups use watering holes as initial access including: DYMALLOY, ALLANITE, and RASPITE

For more analysis and to register for a SANS webinar to learn more, visit Dragos.