2020-11-23-The-Maroochy-Shire-Incident

The Maroochy Shire Incident

Edward Miro

c1ph0r@protonmail.com

@c1ph0r



With the elections in full swing, it’s not hard to imagine the waves of change that may or may not be on the horizon. Waves of shifting power. Waves of stress and uncertainty. But for the small town of Maroochy Shire in Queensland, Australia in early 2000, they had to deal with waves of a different kind. A 264,000 gallon wave of literal shit.

Let’s go back a few years. In 1997 the Maroochy Shire council awarded a contract to upgrade their waste treatment processing to a SCADA system. SCADA, or supervisory control and data acquisition, is a common system of controllers, sensors and devices to support and manage industrial control systems, or ICS.

The contract Maroochy Shire awarded went to Hunter Watertech. HWT installed systems at 142 of the Shire’s pumping stations. The way these systems work is by using remote terminal units, which are devices made specifically to be the interface between the pump stations and the SCADA system via a private radio network.

Picture the way a mesh network works when it comes to your home WiFi. A main SCADA system in the control room can make changes and send commands that are then propagated through a network of access points and repeaters throughout the network.

It’s also possible for a mobile worker to connect to one of those access points and have full control of the entire system.

Enter Vitek Boden. Hired by Hunter Watertech in late 1997 and worked as a site supervisor for the project. The details are spotty, but it seems as though Vitek and HWT didn’t see eye to eye and in December of 1999, he resigned. It has been noted that Vitek had made unauthorized changes to the system and unwelcome suggestions on it’s implementation.

With his intimate knowledge of the SCADA system upgrade project, Vitek must have imagined his skills would be appreciated by the Maroochy Shire council, and he applied. After a month of waiting and approaching the council, his application was rejected. Had the upgrade project taken longer, maybe it would have made sense to bring Vitek on, but HWT finished in mid January.

But not without immediately experiencing issues. In late January admins started receiving strange faults, communication failures, pump control loss, and false alarms. Naturally the new SCADA system was suspected as the cause and Hunter Watertech came back out, reinstalled the system and did a thorough investigation.

But when the faults began again, an HWT employee known only as “Mr. Yager”, decided to be proactive and install a logging system designed to capture and store control messages and radio traffic. By March of 2000, Mr. Yager conclusively identified the source of the faults: human intervention.

Pump station 14 was discovered to be the origin of these dubious transmissions. The station was physically checked and found to be perfectly healthy, but Mr. Yager did change the pump ID in hopes of flagging future malicious messages.

But this didn’t work either. Yes, changing the pump ID prevented unauthorized access temporarily, but an industrial scale back and forth had begun. Other pump stations had been exploited, ID’s changed back and forth. A shit storm was brewing.

At the peak of the attack, the faults increased to such a degree that the central computer was unable to do anything and technicians had to physically correct issues at each of the 142 pump stations. These attacks reached their crescendo with the release of 264,000 gallons of raw sewage into rivers, parks, local residences and a Hyatt Regency hotel.

Janelle Bryant of the Australian Environmental Protection Agency stated in The Register, “Marine life died, the creek water turned black and the stench was unbearable for residents”. By now authorities and private investigators had already put together a list of potential suspects and with Vitek’s disagreement with and resignation from Hunter Watertech, he was at the top of that list.

On the night of April 23, 2000 the attacker disabled 4 more pumping stations and police were immediately notified.

An officer on patrol spotted Vitek’s car parked near one of the pumping stations that had been disabled and initiated a routine traffic stop. When confronted by the police, they found in his vehicle a PDS Compact 500 computer, a two-way radio, a laptop, a transformer, and cables.

The attack worked like this: Vitek parked within range of nearby repeater stations on the SCADA network, used his laptop to issue commands to his PDS Compact 500, which then passed those commands via the radio he had, on to the nearby repeaters and then the rest of the network.

Forensic analysis of the attack showed the software running on Vitek’s laptop has only one practical use: interfacing with the system installed by HWT and it was even developed by them. The laptop event logs had startup and shutdown entries that correlated with the attacks and the radio found was set to the same frequency as two of the repeaters involved.

All in all the attack cost the Council $176,000 and Hunter Watertech spent more than half a million in their response.

Vitek Boden received a 2 year prison sentence and was fined over $13,000 for cleanup and damages. He was charged with 30 counts of computer hacking, theft and causing environmental damage. Vitek in my mind also holds the title of world’s most literal shit poster. Sometimes insider threats can be a messy ordeal. Take an expert on SCADA systems like Vitek Boden and you have a pungent recipe for the ultimate insider threat.

https://www.theregister.com/2001/10/31/hacker_jailed_for_revenge_sewage/

http://web.mit.edu/smadnick/www/wp/2017-09.pdf

https://www.mitre.org/sites/default/files/pdf/08_1145.pdf