Hackers hid on a server holding client information for a Queensland water company for nine months, demonstrating the need for robust cyber defenses for key infrastructure. SunWater is a government-owned water company in Australia that manages 19 large dams, 80 pumping stations, and 1,600 miles of pipelines. SunWater was hacked for nine months, according to the Queensland Audit Office's annual financial audit report, with the perpetrators going unnoticed the entire time.
Although the entity isn't named in the report, ABC Australia questioned the authority and discovered it was SunWater. Between August 2020 and May 2021, the actors gained access to a webserver that the water company used to store customer information. The hackers didn't appear to be interested in stealing critical information, as they instead used specialized malware to drive traffic to an online video platform.
There is no evidence that the threat actors stole any consumer or financial information, according to the audit report, and the vulnerability that they exploited has since been addressed. According to the report, the actors only hacked the older, more vulnerable version of the system, leaving the modern, far more secure web servers unharmed.
The audit looked at six water authorities, including Seqwater, Sunwater, Urban utilities, Unitywater, Gladstone Area Water Board, and Mount Isa Water Board, and warned of information system vulnerabilities. Internal control flaws, such as those involving money transfer payment information, were also discovered. The 36-page report recommended that "ongoing security weaknesses in information systems" be addressed immediately.
It was observed that in the instance of the cyber breach, steps were made to address the problem, including software updates, the use of stronger passwords, and the monitoring of incoming and outgoing network traffic. Despite the audit office's recommendation last year that institutions tighten the security of their information systems, not all had taken action, according to the study. On June 30, three of the six organizations still exhibited "control weaknesses," according to the report. The report also identified issues with internal controls, identifying 24 flaws in the sector. According to the report, one authority had three deficiencies in managing user access across financial, invoicing, and payroll systems.
"We continue to identify several control deficiencies relating to information systems. Cyber-attacks continue to be a significant risk, with ongoing changes in entities' working environments due to COVID-19," reads the auditors' report.