Hackers breached a water utility and manipulated systems responsible for water treatment and flow control, Verizon said in a report released this month.

Verizon’s data breach digest for March 2016 describes several attacks investigated by the company, including one aimed at the systems of an unnamed water utility referred to by Verizon as the Kemuri Water Company (KWC).

The water district had asked Verizon to conduct a proactive assessment as part of its efforts to keep systems and networks healthy, but experts soon discovered clear signs of malicious activity.

They immediately noticed that the organization had a poor security architecture, with Internet-facing systems plagued by high-risk vulnerabilities known to be exploited in the wild, and outdated operation technology (OT) systems that had been more than ten years old.

Learn More at the ICS Cyber Security Conference

The water utility’s SCADA platform was powered by an IBM AS/400 system, which was first introduced by the vendor in 1988. This system was used to connect both OT functions, such as the water district’s valve and flow control applications, and IT functions, such as financial systems that stored customer and billing information.

An analysis of KWC’s Internet traffic revealed that some IP addresses previously identified during the investigation of attacks carried out by hacktivists had connected to the targeted organization’s online payment application.

Verizon investigators believe the hackers exploited a vulnerability in the payment application web server. This server stored the internal IP address and admin credentials for the AS/400 system, from which the attackers are believed to have stolen 2.5 million records containing customer and payment information. Experts had not found any evidence to suggest that fraudulent activity had taken place on the compromised accounts.

Since the compromised AS/400 system also ran valve and flow control applications used to manipulate the utility’s hundreds of programmable logic controllers (PLCs), the hackers managed to access this software and alter settings related to water flow and the amount of chemicals used to treat the water.

Investigators said they discovered four separate connections over a 60-day period leading up to their assessment.

“In at least two instances, they managed to manipulate the system and thus handicap water treatment and production capabilities so that the recovery time to replenish water supplies increased,” Verizon said in its data breach report. “Fortunately, based on alert functionality, KWC was able to quickly identify and reverse the chemical and flow changes, largely minimizing the impact on customers.”

Verizon pointed out that the attackers likely had little knowledge of how the flow control system worked — the attack could have had far more serious consequences if hackers had more time and more knowledge of the targeted industrial control systems (ICS).

“While it’s easy to want to believe all hackers and attackers are brilliant, talented and highly sophisticated computer geeks who have innate, unworldly skills that allow them to circumvent even the most secure digital systems in a flash, the reality is often different,” said Doug Wylie, VP of product marketing at ICS security firm NexDefense. “As shown by this report, the required skills needed to gain entry into this particular mission-critical system was much less impressive that what we might expect or typically see on TV.”

“The facts in the report do speak for themselves and it’s readily apparent the specific affected water utility was trapped in a past decade (or even two decades ago) in a time when they had little reason to expect their company, business operations or water control systems would ever become the desired target for a sophisticated cyber attack,” Wylie told SecurityWeek.

“While it would be nice to think this particular water utility affected by the breach is unique, having unicorn-like qualities, what was found in the water utility of interest in the Verizon report is likely more typical than unusual,” Wylie noted. “When company budgets are tight and production can’t stop, when perceived risks are misjudged and networked systems evolve uncontrollably over the span years and decades, the associated cybersecurity risks to these connected systems naturally increase.”

Related Reading: Critical Infrastructure Incidents Increased in 2015

Related Reading: ICS Security Firm Warns of Flaws in WirelessHART Devices

Related Reading: Agency Calls for Improved ICS Security in Europe