Botnet traced to computer at hacked Florida water plant

Two very different types of hackers can be on the same network simultaneously, with the victim none the wiser.
water treatment plant
(Getty Images)

On Feb. 5, an unidentified hacker broke into the computer system of a water treatment plant in the Florida town of Oldsmar and temporarily changed the plant’s sodium hydroxide setting to a potentially dangerous level, according to local officials. It turns out that hacker wasn’t alone on the network.

While law enforcement officials still haven’t publicly identified the perpetrator of the well-publicized hack, industrial security firm Dragos on Tuesday revealed a separate suspected intrusion that same day of one of the Oldsmar Water Treatment Facility’s computers. Dragos has tied the malicious code to a botnet, or horde of infected computers used by spammers, whose code scanned the computers of local water utilities in Florida in recent months.

There is no connection between the incidents — whoever tampered with the Oldsmar facility’s chemical settings is not involved in the botnet — but the revelation shows how two very different types of hackers can be on the same network simultaneously, with the victim none the wiser.

The exposure of the Oldsmar plant’s computer to the botnet began that February morning when a plant employee visited the website of a Florida water infrastructure firm that was infected with malicious code, according to Dragos. Analysts found that, over the course of two months starting in December, over 1,000 computers belonging to municipal water utilities, employees of state and local government agencies and others visited the infected website.


“While the activity appears targeted to the water sector and is malicious it’s nothing impactful and can be considered high-level reconnaissance,” Dragos CEO Robert M. Lee told CyberScoop. “Dozens of other water companies … have been profiled by the malicious actor.” Lee said his firm went public with its findings to remind people why intelligence analysts shouldn’t jump to early conclusions based on incomplete data.

Dragos traced the malicious code to another website that they said was used to communicate with a years-old botnet known as Tofsee. The botnet is known for sending large volumes of spam to users of dating websites in order to generate cryptocurrency. Dragos analysts suspect that the hackers infected the water infrastructure firm’s website to collect user data and fine-tune the malicious software used by the botnet.

As for the attempt to tamper with the Oldsmar water supply, a plant operator reversed the change made by the hacker to the water solution before it entered Oldsmar’s drinking supply. But the incident has prompted scrutiny by U.S. lawmakers as well as calls from security experts for more cybersecurity resources for a cash-strapped water sector.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts