WaterISAC has been made aware of a second phishing attempt against Maine water operators. This time the campaign also targeted well drillers. The campaign was reported to the Maine CDC Drinking Water Program on June 24, 2024, and was observed using a similar template as the prior attempt reported in January 2024 – Threat Advisory – Phishing Campaign Impersonates State CDC Drinking Water Program. The fake emails were sent to Maine water operators and well drillers requesting recipients to click on a link to “confirm or verify” information or risk having their water license revoked.

Maine CDC sent a DWP Cybersecurity Alert: “Phishing Attempt on Maine Water Operators and Well Drillers” urging Maine water operators or well drillers who may have received a similar or identical phishing email to NOT PRESS ANY LINKS and DELETE IT IMMEDIATELY. The alert included the attached screenshot highlighting the phishing email (with personally identifying information redacted). DWP comments are included to help identify this email as an illegal and nefarious phishing attempt.

This recent campaign is similar to prior incident reports WaterISAC has received that impersonated state agencies in recent years. WaterISAC shared these reports with members:

• Threat Advisory – Phishing Campaign Impersonates State CDC Drinking Water Program (January 2024)
• Threat Advisory – Phishing Campaign Mimicking Primacy Agency Data Validation Request Resurfaces (January 2023)
• Threat Advisory – Current Phishing Campaign Mimics a Primacy Agency Data Validation Request (August 2022)

Lessons Learned

• Share Information on Threats. In these cases, state agencies quickly sent out a broadcast alert to targeted audiences warning of the phishing attempt.
• Open-Source Intelligence (OSINT).  There is a lot of information on the internet about our water systems. It is useful to know what public information is available. In some cases, detailed and sensitive information can be removed. In other cases, the information is intentionally part of the public record. Therefore, we need to be aware of this class of data so we are not fooled into trusting whoever has it because we believe only privileged sources have access to it.
• Practice Phishing Drills. Part of every utility’s cybersecurity awareness training should include regular phishing drills for staff. CISA has free resources to assist, such as, Teach Employees to Avoid Phishing.
• Not Sure, Call. If you are not sure that the source of an email is legitimate, call the supposed sender through previously established phone numbers to confirm the request’s validity.
• Fall for a Phish, Contact Your IT Department. If you realize after the fact that you fell for a phishing email, or you think you might have, call your information technology group to find out what to do. Everyone except the attacker, will be glad you did.

Additional Water and Wastewater Systems Sector Guidance Resources:

• Recognize and Report Phishing | CISA
• Maine CDC Drinking Water Program Homepage
• Cybersecurity Fundamentals for Water and Wastewater Utilities | WaterISAC
• Top Cyber Actions for Securing Water Systems | CISA
• Water and Wastewater Sector - Incident Response Guide | CISA
• CISA's Free Cyber Vulnerability Scanning for Water Utilities | CISA
• Water and Wastewater Cybersecurity | CISA

Incident Reporting

WaterISAC encourages any members who have experienced malicious or suspicious activity to email analyst@waterisac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form.

This advisory is marked TLP:CLEAR, recipients may share this advisory without restriction. Information is subject to standard copyright rules. For more information on the Traffic Light Protocol, or TLP, visit CISA.