Tap leaking water droplet showing Clop ransomware attack on UK water supplier

UK Water Supplier Suffered a Clop Ransomware Attack During Major Drought; Victim Initially Misidentified as UK’s Largest Water Utility

UK water supplier, South Staffordshire PLC, suffered a Clop ransomware attack in which the gang misidentified its victim.

The cybercrime gang claims it compromised Thames Water, the largest water utility and sewerage treatment facility serving Greater London and surrounding areas.

According to the gang, the water supplier allegedly had “very bad holes” in “all systems,” allowing the threat actors to spend months in the systems.

The attack coincided with one of the worst droughts that led to water rationing across eight regions in the United Kingdom.

Largest UK water supplier described the alleged attack as a cyber hoax

Clop ransomware group posted on its dark web data leak site that it had compromised Thames Water. However, the largest UK water supplier described the alleged cyberattack as a “cyber hoax.”

Meanwhile, South Staffordshire acknowledged the cyber attack, adding that the suspected ransomware attack did not undermine its ability to supply safe water to Cambridge Water and South Staffs Water customers. Both companies are South Staffordshire’s subsidiaries.

“This is thanks to the robust systems and controls over water supply and quality we have in place at all times, as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis,” the UK water supplier stated.

The timing of the attack was hardly a coincidence but a well-calculated strategy to create an emergency and force ransom payment.

However, the UK water supplier seems to have gracefully weathered the attack and is more unlikely to pay the ransom.

“As the pressure on the utilities sector is rising, the cyber-attack on South Staffordshire Water highlights how cybercriminals are targeting the industry. This is a trend which, unfortunately, I expect to continue,” said Chris Vaughan, AVP of Technical Account Management, EMEA at Tanium.

Clop ransomware allegedly accessed SCADA systems

However, Clop ransomware claimed to have accessed the victim’s SCADA systems and could harm the UK water supplier’s customers. The gang claims to have avoided encrypting its victim’s computers during the attack but accessed 5 Terabytes of data.

Additionally, Clop ransomware accused the company’s management of saving on cybersecurity to fund their bonuses. The gang also portrayed itself as a politically-neutral player that does not target critical infrastructure and health organizations.

Clop ransomware gang published samples of stolen files, including email addresses belonging to South Staffordshire and South Staff Water. Similarly, the leak included a received document addressed to South Staffordshire PLC, according to BleepingComputer.

The gang released the sample data after ransom negotiations stalled, possibly after negotiating with the wrong victim. Clop ransomware accused “the other party” of lacking interest, buying time, and offering a low ransom despite the risk of water contamination.

“Threat actors want to put decision-makers in a morally impossible situation by targeting the availability of their operations so that they have no choice but to pay ransoms in order to get their services back up and running,” Simon Chassar, CRO at Claroty.

Surprisingly, the Clop ransomware gang missed the glaring identity of the compromised company.

Arguably, the misidentification was possibly a deliberate attempt to extort a larger company. South Staffordshire has about 1.6 million customers, while Thames Water serves about 15 million.

Similarly, both companies were possibly targeted or compromised, but the group has not exfiltrated data from Thames Water, or the company is unaware of an existing breach.

Meanwhile, Clop ransomware corrected its statement and identified South Staffordshire Water as the victim.

Cyber attacks pose a unique threat to water systems

In June, the FDD’s Center on Cyber and Technology Innovation (CCTI) warned about potential cyber attacks targeting water systems. The organization stated that water systems posed a “unique threat” due to limited budget and understaffing.

“There are literally tens of thousands of local and regional utilities providers across the US that have neither the budget nor expertise to implement adequate cybersecurity and they are sitting ducks for our foreign enemies that could easily disrupt the provision of services to millions of Americans,” said John Gunn, CEO at Token.

In February 2021, a threat actor breached a water treatment facility in Oldsmar, Florida, and attempted to poison consumers by raising sodium hydroxide levels 48 hours before a Super Bowl match. According to Pinellas County Sheriff Bob Gualtieri, the threat actor increased lye levels from the recommended 100 parts per million to 11,100.

The attack on the UK water supplier is a warning shot for possible future attacks as Europe braces for adverse weather.

“Despite, [the] contradicting statements between South Staffordshire Water and the Cl0p ransomware group, what is clear, is that cyber criminals are moving beyond operational availability to human risk with critical infrastructure attacks for maximum liability and monetary gain by trying to contaminate safe water supplies and put lives at risk,” Chassar said.

He added that cybercriminals do not consider the consequences of their actions as long as the victim pays the ransom.

“Unfortunately, this tactic is working. In 2021, 80% of critical infrastructure organizations experienced a ransomware attack, and 62% paid the ransom.”

Chassar advised organizations to have visibility across all devices since most operational technology (OT), internet of things (IoT), and Industrial IoT (IIoT) devices are not designed with cybersecurity in mind.

“It is fundamental that specialist OT Cyber tools are used on networks so they are segmented with asset class network policies to restrict unnecessary connectivity from anomaly detection; ultimately limiting the movement of malware and mitigating the human risk impact of cyber attacks.”