C0020: Maroochy Water Breach
Maroochy Water Breach was an incident in 2000 where an adversary leveraged the local government’s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.[1]
Analyst context for executives and security teams
The Maroochy Water Breach is a concrete ICS example of cyber activity becoming a public-service and environmental incident: misuse of a wastewater control system and stolen engineering equipment led to release of 800,000 liters of raw sewage. For leaders, the decision value is that OT security is not only an IT risk; loss of operator visibility, loss of control, unauthorized commands, alarm manipulation, wireless access, remote services, and transient engineering assets can directly affect community services and physical outcomes.
Executive priority
Prioritize this as an operational resilience and cyber-physical risk case study. Executives should ask whether wastewater, utilities, or other control environments can prove who can remotely or wirelessly interact with control assets, whether engineering equipment is inventoried and access-controlled, whether alarms and reporting data are trustworthy, and whether incident response plans include physical-process safety, environmental reporting, and continuity decisions. It also supports audit and compliance evidence around remote access governance, OT asset control, alarm integrity, and response readiness.
Technical view
ATT&CK provides no official detection text, platforms, or tactics for this campaign, so validation should be relationship-driven. SOC, OT, and IR teams should test visibility and controls around the mapped behaviors: Denial of Control, Denial of View, External Remote Services, Modify Parameter, Modify Alarm Settings, Rogue Master, Wireless Compromise, Transient Cyber Asset, Alarm Suppression, Damage to Property, unauthorized Command Messages, and spoofed Reporting Messages. Focus on whether operators can detect unexpected command traffic, altered process parameters, alarm configuration changes, reporting inconsistencies, unapproved remote access, wireless communications, and use of engineering devices that move between environments.
Likely telemetry
- OT network traffic showing command messages, reporting messages, and communication paths between masters, outstations, controllers, and operator systems
- Remote access authentication and session logs for externally reachable services used to administer or support control systems
- Wireless communication monitoring or radio/network logs where wireless control-system connectivity exists
- Engineering workstation and transient asset inventory, connection history, and configuration-change records
- Controller, SCADA, historian, and HMI logs for parameter changes, alarm-setting changes, alarm suppression, and operator visibility/control loss
Detection direction
- Because MITRE provides no detection guidance for this campaign, first validate whether required OT telemetry is collected, retained, time-synchronized, and reviewable by both SOC and operations teams.
- Correlate control commands with authorized operators, expected engineering assets, approved maintenance windows, and process preconditions; investigate command messages that lack a legitimate operational context.
- Monitor for changes to parameters, alarm settings, and alarm suppression states, especially when paired with remote access, wireless access, or transient engineering equipment use.
- Compare reporting messages and HMI/historian values against independent process indicators where available to identify possible spoofed or misleading status data.
- Tune carefully with operations input: engineering maintenance, testing, communications outages, and legitimate alarm changes can resemble suspicious behavior without process context.
Mitigation priorities
- Establish governance for all remote and wireless access paths into control environments, including approval, authentication, logging, and periodic review.
- Maintain a controlled inventory of engineering equipment and transient cyber assets; restrict and record when they connect to ICS networks.
- Protect integrity of alarm settings, process parameters, and command/reporting paths with change control, role-based access, and independent review for safety-critical functions.
- Segment and monitor ICS communications so unauthorized masters, unexpected command sources, and abnormal reporting behavior are easier to identify.
- Create OT incident response procedures that join SOC, engineering, operations, legal/compliance, and public-safety or environmental response stakeholders where relevant.
Analyst notes and limits
This object is a campaign in the ICS ATT&CK domain, not a generic enterprise intrusion pattern. Its value is strongest as a cyber-physical risk and control-validation case: it links unauthorized interaction with control systems to loss of control/view, alarm manipulation, command/reporting abuse, and physical damage outcomes. The supplied relationship set should drive defensive assessments more than the campaign description alone.
The supplied ATT&CK object does not specify platforms, tactics, labels, or official detection guidance. The assessment should not be treated as evidence of current exploitation or applicability to every ICS environment. Local architecture, remote access design, wireless use, engineering asset practices, and process-safety requirements are required to determine actual exposure and monitoring coverage.
Maroochy Water Breach
Maroochy Water Breach was an incident in 2000 where an adversary leveraged the local government’s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T1692.002 | Reporting Message Sub-technique | In the Maroochy Water Breach, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.CitationMarshall Abrams July 2008 |
| ICS | T0822 | External Remote Services | In the Maroochy Water Breach, the adversary gained remote computer access to the system over radio.CitationMarshall Abrams July 2008 |
| ICS | T0838 | Modify Alarm Settings | In the Maroochy Water Breach, the adversary disabled alarms at four pumping stations, preventing notifications to the central computer.CitationMarshall Abrams July 2008 |
| ICS | T1692.001 | Command Message Sub-technique | In the Maroochy Water Breach, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.CitationMarshall Abrams July 2008 |
| ICS | T0864 | Transient Cyber Asset | In the Maroochy Water Breach, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.CitationMarshall Abrams July 2008 |
| ICS | T0879 | Damage to Property | In the Maroochy Water Breach, the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's affected rivers.CitationMarshall Abrams July 2008 |
| ICS | T0836 | Modify Parameter | In the Maroochy Water Breach, the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed for changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.CitationMarshall Abrams July 2008 |
| ICS | T0813 | Denial of Control | In the Maroochy Water Breach, the adversary temporarily shut an investigator out of the network preventing them from issuing any controls.CitationMarshall Abrams July 2008 |
| ICS | T0860 | Wireless Compromise | In the Maroochy Water Breach, the adversary used a two-way radio to communicate with and set the frequencies of Maroochy Shire's repeater stations.CitationMarshall Abrams July 2008 |
| ICS | T0848 | Rogue Master | In the Maroochy Water Breach, the adversary falsified network addresses in order to send false data and instructions to pumping stations.CitationMarshall Abrams July 2008 |
| ICS | T0878 | Alarm Suppression | In the Maroochy Water Breach, the adversary suppressed alarm reporting to the central computer.CitationMarshall Abrams July 2008 |
| ICS | T0815 | Denial of View | In the Maroochy Water Breach, the adversary temporarily shut an investigator out of the network, preventing them from viewing the state of the system.CitationMarshall Abrams July 2008 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6cf19284e578… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Marshall Abrams July 2008
Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27
Open source URL -
[2]
mitre-attack C0020Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.