In-brief: A man in Pennsylvania said he was just being a disgruntled former employee when he hacked into base stations owned by his ex-employer that control access to smart water meters and disrupted the business of municipal water utilities across three states. He faces jail time, probation and a fine for his actions.
A Pennsylvania man who has been sentenced to one year and one day in prison admitted that he hacked into systems at his ex-employer’s that control access to smart water meters as what he called an “F-U” to his ex-boss, but ended up disrupting utilities across three states.
In what’s becoming a familiar story of a disgruntled ex-employee using a weapon to express his anger at being fired, Adam Flanagan, 42, of Bala Cynwyd, Penn., used not a gun but his knowledge from his previous job to create a headache for his former company, which makes remote meter readers for utility systems.
Unfortunately for Flanagan, his actions disrupted water utilities in five cities across three states, drawing the attention of the Federal government, which is a wee bit sensitive about the possibility of cyberattacks against critical infrastructure.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
After losing his job in November 2013 as an engineer tasked with setting up Tower Gateway Basestations (TGBs)—which collect information from smart water meters in people’s homes– Flanagan used his knowledge of how these readers operate to access them through the Internet and disable them. He also changed passwords to some TGBs to offensive words and phrases like “fuckyou,” just for fun, he told federal investigators.
The United States Attorney’s Office for the Eastern District of Pennsylvania charged Flanagan with twelve counts of damaging protected computers last November. Rather than face a criminal trial and potentially 90 years in prison, Flanagan wisely copped a plea bargain in March.
He was sentenced to the short prison term, three years’ probation and a $40,000 fine after pleading guilty to two counts of unauthorized access to a protected computer.
Flanagan was caught by FBI investigators from Raleigh, N.C., and Philadelphia, who interrogated him on several occasions in late 2015, interviews that are transcribed in court documents that are available online.
Flanagan said he didn’t disrupt the water utility as a plan to be some sort of “master hacker,” but merely to be, for lack of a better term, a jerk, according to the interview transcript.
“Yeah, but, but, but did you know, I mean, you’re fired. You’re not supposed to go back in the system right? I mean, you’re fired. Correct?” FBI investigator Andrew Pelczar asked Flanagan, according to court documents, to which the suspect replied, “Yeah.”
The interview goes on:
“AP (Pelczar): I mean, you know that, right?
AF (Flanagan): Yeah.
AP: When you get fired you’re not supposed to do that.
AF: Yeah, I know that. I honestly, the, I know I wasn’t supposed to be there. I, what I, I was doing it more to just to be a d*ckhead.”
Flanagan’s self-admitted bonehead actions caused considerable disruption to municipal water authorities in five locations in Maine (Kennebec), New Jersey (Egg Harbor and Spotswood) and Pennsylvania (Aliquippa and New Kensington), requiring them to send people out to read the individual meters because the billing data was inaccurate. Flanagan’s former employer also had to conduct forensic examinations of the readers to determine what had happened and how to fix the problems, spending time and money to do so.
In the FBI interviews, Flanagan acknowledges that he began messing with his former employer’s systems after he’d had a bit too much to drink. When one suggested he might be some kind of “master hacker,” Flanagan denied even having such mad skills, saying he only knows “rudimentary logon.”
He further acknowledged that while he was less than well-intentioned when he began accessing his former employer’s systems without authorization, he never aimed to mount a cyberattack of grand proportions.
“I am honestly at fault but yeah it was nothing to be–don’t want to say it wasn’t being malicious, but it wasn’t anything to, you know, take down a network like that,” Flanagan told investigators.