The U.S. Environmental Protection Agency (EPA) issued a stern warning on May 20th, 2024, highlighting the escalating cyber threats to the nation's drinking water systems while outlining stricter enforcement measures to protect water-related critical infrastructure. The Environmental Protection Agency is an independent U.S. agency responsible for protecting human health and the environment. These responsibilities include making sure that Americans have clean air, land and water and overseeing the implementation of federal laws related to these matters. The alert comes as part of a wider government initiative to strengthen national security and address vulnerabilities in critical infrastructure.

Environmental Protection Agency Concerned By Recent Inspection Results

Recent EPA inspections have revealed alarming cybersecurity gaps in a majority of water systems. More than 70% of inspected systems were found to be non-compliant with the Safe Drinking Water Act, with some exhibiting severe vulnerabilities such as unchanged default passwords and single logins. These weaknesses leave systems susceptible to cyberattacks, which have been observed by the agency to have become increasingly more frequent and severe in recent times. In response to the escalating threat, the EPA is ramping up its enforcement activities under the Safe Drinking Water Act. This includes increasing the number of inspections, initiating civil and criminal enforcement actions where necessary, and ensuring that water systems are adhering to the requirements of risk assessment and emergency response planning. The EPA is also working closely with federal and state partners, including the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, to fortify the nation's water systems against cyber threats. This collaboration includes providing technical assistance, guidance, training, and resources to help water systems implement crucial security measures. "Defending our nation's water supply is central to our mission at the EPA," emphasized Deputy Administrator Janet McCabe. We are leveraging all available tools, including enforcement, to shield our water from cyber threats. The alert reflects the current government's dedication to dealing with the urgency of cyber threats to critical infrastructure, and ensuring that water systems are adequately equipped to counteract these risks to public health.

EPA's Key Recommendations for Water Systems

The EPA's enforcement alert warned that cyberattacks on water systems could have devastating consequences, potentially disrupting treatment, distribution, and storage of water, damaging critical infrastructure, and even manipulating chemical levels to hazardous amounts. The alert added that small water systems are not exempt from this threat, as recent attacks by nation-state actors have targeted systems of all sizes. The EPA, Cybersecurity and Infrastructure Security Agency (CISA), and the FBI strongly recommend that water systems implement the following cybersecurity measures:

• Reduce exposure to the public-facing internet.
• Conduct regular cybersecurity assessments.
• Immediately change default passwords.
• Conduct an inventory of operational technology (OT) and information technology (IT) assets.
• Develop and practice cybersecurity incident response and recovery plans.
• Backup OT/IT systems.
• Reduce exposure to vulnerabilities.
• Conduct cybersecurity awareness training.

The EPA and CISA are offering free assistance to water systems to help them implement these crucial changes. Utilities can contact the EPA through its Cybersecurity Technical Assistance Form or email CISA Cyber Hygiene Services at vulnerability@cisa.dhs.gov with the subject line 'Requesting Cyber Hygiene Services'. [caption id="attachment_69563" align="alignnone" width="184"] Source: epa.gov[/caption] The EPA's heightened enforcement measures reflect the urgency of the threat facing the nation's water systems. By working together with federal and state partners and implementing recommended security practices, water systems can significantly enhance their resilience and protect this critical resource from malicious threat actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.  

An unidentified threat actor known as "pwns3c" has offered access to a database purported to contain sensitive data and documents from a City of New York data breach for sale on BreachForums. The City of New York website offers official digital representation of the city's government as well as access to related information such as alerts, 311 services, news, programs or events with the city. The claims made in the post, despite its alleged nature raises significant concerns about the extent of the data breach as well as the security practices followed by the government office.

Alleged City of New York Data Breach Claimed to Include Sensitive Data

The stolen database is allegedly stated to include 199 PDF files, approximately 70MB in size in total. The exposed data includes a wide range of personally identifiable information (PII), such as: Licensee Serial Number, Expiration Date, Applicant or Licensee Name, Trade Name, Street Address, City, Zip Code, Phone Number of Applicant, and Business Email of Applicant. Moreover, the data also reveals sensitive details about building owners, attorneys, and individuals, including their EIN, SSN, and signature. The threat actor is selling this sensitive information for a mere $30, and interested buyers are instructed to contact them through private messages within BreachForums or through their Telegram handle. The post seemingly includes links to download samples of the data allegedly stolen in the attack. [caption id="attachment_68084" align="alignnone" width="1872"] Source: BreachForums[/caption] The alleged data breach has far-reaching implications, as it puts the personal information of numerous individuals at risk. The leak of personally identifiable information (PII) and sensitive documents exposes individuals to potential risks of identity theft, fraud, and other malicious activities. The Cyber Express team has reached out to the New York City mayor's official press contact email for confirmation. However, no response has been received as of yet.

pwns3c Earlier Claimed to have Hacked Virginia Department of Elections

In an earlier post on BreachForums, pwns3c claimed an alleged data breach against the Virginia Department of Elections, compromising of at least 6,500 records. The earlier stolen data was also offered for USD 30 in Bitcoin (BTC), Litecoin (LTC), or Monero (XMR) on the dark web. The Virginia Department of Elections is responsible for providing and overseeing open and secure elections for the citizens of the Commonwealth of Virginia. It is responsible for voter registration, absentee voting, ballot access for candidates, campaign finance disclosure and voting equipment certification in coordination with about 133 of Virginia's local election offices. The compromised data was allegedly stated to have included sensitive information such as timestamps, usernames, election data, candidate information, and voting method details. However, there has been no official confirmation of the stated incident as of yet. The breaches claimed by pwns3c, despite their alleged nature highlight the persistent challenges of securing the websites of government institutions. The sensitive nature of the stolen data that may allegedly include Social Security Numbers (SSNs), contact information, election-related details, and signatures, underscores the urgency for government websites to strengthen their security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.