Hackers have been hiding on a computer storing client information for a Queensland water company for nine months, demonstrating the need for robust cyber defenses for crucial infrastructure. SunWater is a government-owned water company in Australia that manages 19 large dams, 80 pumping stations, and 1,600 miles of pipelines.
SunWater was broken for nine months, as per the Queensland Audit Office’s annual financial audit report, with the perpetrators going unnoticed the whole time. Although the organization isn’t named in the article, ABC Australia questioned the authorities and discovered it was SunWater.
Between August 2020 and May 2021, the actors gained access to a water company’s webserver to store customer information. The hackers didn’t seem to be interested in stealing critical information, as they used specialized malware to drive traffic to an online video platform.
According to the audit report, there is no evidence that the threat actors took any consumer or financial information, and the vulnerability they exploited has since been addressed. According to the report, the actors only hacked the older, more susceptible version of the system, leaving the current, considerably more secure web servers unharmed.
Finally, the research highlights the lack of effective account security measures, such as granting users just the level of access necessary to execute their jobs. SunWater, on the other hand, had many user accounts with access to different systems, which increased the possibility of a single point of penetration. The auditors looked at the internal controls of six Australian water authorities and discovered three flaws without naming them.
The audit identified many critical shortcomings, including the lack of anti-fraud controls to secure financial transactions from BEC perpetrators and the prevalence of multiple vulnerabilities in IT systems. In conclusion, the auditors noted that public organizations had made significant measures in response to last year’s suggestions, but that more work has to be done:
- Enable multi-factor authentication on all public-facing external systems
- Systems for detecting and reporting security threats should be implemented
- Implement processes for identifying major security vulnerabilities
- Ensure the password is minimum eight characters long
- Arrange for security awareness training
