American Water Company, a New Jersey-headquartered utility responsible for providing water to 14 million customers, suffered a cyberattack on October 3. On Monday, the company filed a report with the Securities and Exchange Commission (SEC) and announced that it has paused all customer billing. American Water Company is the largest regulated water and wastewater utility company in the United States and is part of critical infrastructure.
The company operates in 14 states and supports at least 18 military bases in the United States.
The exact details of the cyberattack–including the extent–are unknown. According to reports, some customer billing data was lost during the attack. Despite the hack, American Water posted on its website to assure its customers that all water and wastewater operations remain fully functional.
Ransomware not yet detected in American Water hack
Ransomware has not yet been detected as the company performs incident response and network forensics. The company has contacted law enforcement and federal agencies for further investigation.
No ransomware gang or hacking group has claimed responsibility for the attack.
According to the SEC filing, the extent of the hack is unknown at this time. American Water states it is “unable to predict the full impact of this incident” and has disconnected several systems out of an abundance of caution.
Hack exposes critical infrastructure cybersecurity vulnerabilities
Even if the extent of the damage is lost customer billing data, the hack sends shockwaves across the country to secure critical infrastructure. The Cybersecurity & Security Infrastructure Agency (CISA) defines critical infrastructure to include 16 sectors, including water and wastewater utilities such as American Water.
Nation-state hackers such as Volt Typhoon, a People’s Republic of China affiliated group, increasingly target critical infrastructure in the U.S.
In January 2024, the U.S. Department of Justice announced that it disrupted a botnet operated by Volt Typhoon targeting U.S. critical infrastructure. The botnet exploited small office/home office (SOHO) routers from brands such as Netgear and Cisco that were left vulnerable, as they had reached end-of-life and end-of-support status.
FBI Director Christopher Wray stressed the significance of the threat from China on U.S. critical infrastructure.
“China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict,” Wray said.
“Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors. Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate. We are going to continue to work with our partners to hit the PRC hard and early whenever we see them threaten Americans.”
China isn’t the only foreign nation targeting U.S. water and wastewater utilities. In December 2023, CISA announced that Iranian Government Islamic Revolutionary Guard Corps (IRGC) hackers were also targeting programmable logic controllers (PLCs), a form of operational technology (OT) used in industrial and critical infrastructure networks.
Discover more from Cybersecurity Careers Blog
Subscribe to get the latest posts sent to your email.
