Critical Infrastructure Security , Cybercrime , Fraud Management & Cybercrime
Kansas Man Faces Federal Charges Over Water Treatment Hack
DOJ: Wyatt Travnichek Allegedly Accessed Cleaning and Disinfecting SystemA Kansas man faces federal charges for allegedly accessing the network of a local water treatment facility and tampering with the systems that control the cleaning and disinfecting procedures for local water sources, according to the U.S. Justice Department.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Wyatt Travnichek, 22, of Ellsworth County, Kansas, has been charged with one count of tampering with a public water system and one count of reckless damage to a protected computer during unauthorized access, according to the U.S. Attorney's Office for the District of Kansas, which is overseeing the case. Travnichek is a former employee at the facility.
Travnichek was served with a summons after the indictment was unsealed this week by federal prosecutors and is slated to make his first court appearance on April 22, according to documents from the case.
The most serious of the two charges - tampering with a public water system - carries a possible 20-year federal prison term and a $250,000 fine, the Justice Department notes. The charge of tampering with a protected computer is punishable by up to five years in federal prison.
In March 2019, Travnichek remotely accessed the network of the Ellsworth County Rural Water District in Kansas and allegedly attempted to interfere with the facility's system that controls the cleaning and disinfecting procedures for the area's water supply, according to the indictment.
"By illegally tampering with a public drinking water system, the defendant threatened the safety and health of an entire community," said Lance Ehrig, the special agent in charge of the Environmental Protection Agency's Criminal Investigation Division in Kansas, which helped investigate the case.
Travnichek's indictment follows a similar incident that happened in February in Florida, where an unknown attacker or attackers gained remote access to the network of the water treatment facility for the city of Oldsmar and attempted to increase the amount of lye in the water system. The attack was thwarted (see: Hacker Breached Florida City's Water Treatment System).
An attorney for Travnichek could not be immediately reached for comment on Friday.
Attempted Attack
Neither the Justice Department nor the indictment offers many details about the 2019 incident that led to the charges against Travnichek.
The indictment notes that the Ellsworth County Rural Water District, which is also known as the Post Rock Rural Water District, serves about 1,500 retail customers and 10 wholesale customers over eight Kansas counties.
In addition to supplying water, the facility is responsible for cleaning and disinfecting customers' drinking water, according to the indictment.
Travnichek worked at the facility between January 2018 and January 2019. Part of his duties included remotely logging into the Post Rock computer system to monitor the plant after hours, the indictment notes.
On March 27, 2019, Post Rock reported what federal prosecutors called an "unauthorized remote intrusion resulting in the shut-down of the facility's processes." During this time, Travnichek allegedly accessed the facility's cleaning and disinfecting system and attempted to shut down those processes, according to the Justice Department.
Federal prosecutors did not specify what remote access tool or tools Travnichek allegedly used to gain access to the network or if his old credentials were enough to allow him to regain access to the systems.
Mike Hamilton, a former vice chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council, says the information released about the case so far doesn't indicate whether the suspect in the case was a skilled attacker intent on doing harm or an ex-employee trying to cause an issue for his former employer.
"I would caution that we don't have all the facts, and it is also possible that this could have been a crime of opportunity much as the Oldsmar [Florida] water event is thought to have been," Hamilton, now the CISO of CI Security, says. "The fact that Travnichek 'allegedly shut down certain processes' does not indicate a knowledge of any effect from the actions and does not indicate malice of intent. Either this is a domestic terrorist that had a problem with government, or this is a somewhat skilled opportunist that obtained access and made random changes."
Florida Incident
In the case still being investigated in Florida, local law enforcement officials believe that the attacker or attackers used TeamViewer to gain remote access to the facility's network. Remote access and desktop-sharing tools, such as TeamViewer, have previously been exploited through social engineering attacks and phishing campaigns in which user credentials are stolen, according to the U.S. Cybersecurity and Infrastructure Security Agency, which has oversight over the nation's critical infrastructure, including water treatment plants (see: 5 Critical Questions Raised by Water Treatment Facility Hack).
It remains unclear whether TeamViewer was used within the Florida plant by the IT or security teams or if an administrator or worker installed the software without authorization.
The initial investigation also showed that the computers at the Florida plant reportedly were network-connected to the supervisory control and data acquisition - aka SCADA - system and were running outdated 32-bit versions of Windows 7 (see: Florida City's Water Hack: Poor IT Security Laid Bare).
Following the attack, CISA warned the operators of other plants to be on the lookout for hackers who exploit remote access software and outdated operating systems - and to take risk mitigation steps.
Managing Editor Scott Ferguson contributed to this report.