WaterISAC has been made aware of a phishing campaign that occurred last month impersonating the Maine CDC Drinking Water Program (DWP). The fake emails were reportedly sent to all Maine water operators and requested that operators click on a link to “verify or update” their information in order to avoid having their license revoked. The attackers used the Maine.gov logo and the Division title in the email subject lines to make the message appear legitimate. The Maine Department of Health & Human Services sent a cybersecurity alert via email, but it can also be viewed at Maine DWP Cybersecurity Alert: Phishing Attempt on Maine Water Operators.
This recent campaign is similar to prior incident reports WaterISAC has received that impersonated state agencies in recent years. WaterISAC shared these reports with members:
- Threat Advisory – Phishing Campaign Mimicking Primacy Agency Data Validation Request Resurfaces (January 2023)
- Threat Advisory – Current Phishing Campaign Mimics a Primacy Agency Data Validation Request (August 2022)
Lessons Learned
- Share Information on Threats. In these cases, state agencies quickly sent out a broadcast alert to targeted audiences warning them of the phishing attempt.
- Open-Source Intelligence (OSINT). There is a lot of information on the internet about our water systems. Become familiar with what is out there. In some cases, you can work to remove detailed and sensitive information. It takes time and persistence, but it is possible. In other cases, the information is intentionally part of the public record for citizens. Therefore, we need to be aware of this class of data so we are not fooled into trusting whoever has it because we believe only privileged sources have access to it.
- Practice Phishing Drills. Part of every utility’s cybersecurity awareness training should include regular phishing drills for staff. CISA has free resources to assist, such as, Teach Employees to Avoid Phishing.
- Not Sure, Call. If you are not sure that the source of an email is legitimate, call them through previously established phone numbers to confirm the request’s validity.
- Fall for a Phish, Contact Your IT Group. If you realize after the fact that you fell for a phishing email, or you think you might have, call your information technology group to find out what to do. Everyone except the attacker, will be glad you did.
Members are encouraged to view the referenced resources for screenshots of the actual phishing messages so you can spot and report similar scams.
Incident Reporting
WaterISAC encourages any members who have experienced malicious or suspicious activity to email analyst@waterisac.org, call 866-H20-ISAC, or use the confidential online incident reporting form.
