Clop ransomware gang mistakenly claims to have hacked London’s principle water supplier, but South Staffordshire Water confirms compromise
A British water supplier has confirmed that it has been compromised, after the hackers mistakenly claimed to have breached London’s main water supplier.
BleepingComputer reported that the Clop ransomware gang claimed on the dark web that they had accessed the SCADA systems (which control industrial processes at treatment plants) of Thames Water.
Thames Water is the UK’s largest water supplier and wastewater treatment provider, serving Greater London and areas surrounding river Thames (roughly 15 million customers).
But the Clop hackers were mistaken, after they posted stolen documents supposedly verifying the compromise.
The stolen data however didn’t match their claim, casting doubt on the veracity of the attack.
They had in fact compromised the SCADA systems belonging to a water supplier in the Midlands, namely South Staffordshire Water, which supplies water to 1.6 million customers.
South Staffordshire Water confirmed it was the one that had been breached, when it issued a statement on its website.
“South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water, has been the target of a criminal cyber-attack,” it confirmed.
“As you’d expect our number one priority is to continue to maintain safe public water supplies,” it added. “This incident has not affected our ability to supply safe water and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers.”
It cited its robust systems and controls over water supply and quality it has in place at all times, as well as the quick work of its teams to respond to this incident and implement additional measures on a precautionary basis.
“We are experiencing disruption to our corporate IT network and our teams are working to resolve this as quickly as possible,” said South Staffordshire Water. “It is important to stress that our customer service teams are operating as usual.”
“We are working closely with the relevant government and regulatory authorities and will keep them, as well as our customers, updated as our investigations continue,” it concluded.
The attack comes as many regions in the UK declare an official drought and implement hose pipe bans.
Mass poison attempt
It should be noted that hackers have compromised water suppliers before.
One case in the United States however was much more serious and threatened the public health of an entire city.
In February 2021 officials of the US city of Oldsmar in Florida, they revealed a hacker had gained access to the water system of the city and tried to pump in a “dangerous” amount of a chemical.
The hacker had gained access to an internal ICS platform and briefly increased the amount of sodium hydroxide (lye) in Oldsmar’s water treatment system.
Sodium hydroxide is highly corrosive and is often used in drain cleaners. It can cause irritation to the skin and eyes, along with temporary loss of hair.
However swallowing it can cause damage to the mouth, throat and stomach, and trigger vomiting, nausea and diarrhoea.
Thankfully for all concerned, a worker spotted the attack and reversed the action, but the consequences of the attack could have been very serious.
The targetted water treatment facility supplies water to 15,000 residents and businesses in the city.
Nevertheless, the attack on a British water supplier has highlighted the risks to critical infrastructure from cyber criminals and nation state hackers.
“With the rise of ransomware as a main attack method, criminals are running rampant to find any vulnerable systems they can take over,” noted Dr Darren Williams, CEO and founder of ransomware preventation specialist Blackfog.
“Whilst Clop did successfully breach South Staffordshire Water’s systems, they totally missed the mark here, claiming responsibility for a breach that didn’t happen (Thames Water being in South England, and Staffordshire being up North…),” said Dr Williams.
“Nevertheless, whilst misidentification of their target is somewhat embarrassing, the very fact that a water board is their latest victim is really quite harrowing: severe drought conditions currently preside over the UK, with millions of households facing strict water usage restrictions,” said Dr Williams. “Clearly, attackers want to hit us where it hurts the most…”
“All organisations must remember how crucial it is to secure your environment and prevent data exfiltration at the endpoint, if we are to prevent cataclysmic scarcities in our critical infrastructure supply chain,” he said.
Another expert, Daniel Dos Santos, head of security research at Forescout’s Vedere Labs, noted this latest attack is part of a series of very relevant incidents targeting the water sector in the past couple of years, which have increased the cost of cyber insurance for water utilities.
“In March, July and August 2021, three US-based water utilities were targeted by different ransomware groups,” said Dos Santos. “Now cybercriminals have obtained access to a UK water treatment control system with the intent of extorting the victim.”
“Although the incidents had different types of perpetrators and goals, similar mitigation efforts could help reduce the likelihood and the impact of potential cyberattacks targeting the water sector,” said Dos Santos.
- Identify all the devices connected to the network, including IT, operational technology and IoT devices. These devices are the ones that will be targeted by attackers either for initial access, lateral movement in the network or to cause an impact on the business. Not having a complete and accurate inventory of devices creates security blind spots in the network.
- Enforce security compliance: continuously monitor and enforce security compliance for all connected devices in your network. Noncompliant devices (devices with weak/default credentials, unpatched, legacy OS, etc.) are often the primary targets for attackers.
- Segment to mitigate risk: Devices directly connected to the internet are at most risk for initial access while those bridging IT and OT systems can be used to cross the perimeter. Network flow mapping of existing communications provides a baseline understanding of external and internet-facing communication paths. This can help identify unintended/anomalous external communications so appropriate segmentation controls can be enforced for mitigating risk.
- Monitor network communications: In addition to immediately reducing risk by taking mitigation actions, water utilities should continuously monitor the traffic to and from high-risk devices, so when anomalous traffic flows are detected, response actions or more stringent controls can be enforced.’