A water company has been hit by an apparently bungled “criminal cyber attack”, it was reported today.
South Staffordshire Water stressed it was “still supplying safe water to all of our Cambridge Water and South Staffs Water customers”.
A ransomware group known as Cl0p claimed to have hacked a different water company’s networks.
A statement said: “South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water, has been the target of a criminal cyber-attack.
“As you’d expect our number one priority is to continue to maintain safe public water supplies. This incident has not affected our ability to supply safe water and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers.
“This is thanks to the robust systems and controls over water supply and quality we have in place at all times as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis.
“We are experiencing disruption to our corporate IT network and our teams are working to resolve this as quickly as possible. It is important to stress that our customer service teams are operating as usual.
“We are working closely with the relevant government and regulatory authorities and will keep them, as well as our customers, updated as our investigations continue.”
Martin Riley, Director of Managed Security Services at Bridewell, said: “The details of this incident seem to point to a failed or disrupted attempt to compromise South Staffs Water.
“Ransomware operators don’t discriminate and critical infrastructure operators are not safe either. The NCSCs Cyber Assessment Framework, implementing the NIS Regulations really does help operators of essential infrastructure secure their organisations.
“Blended with ISA 62443 for good practice and threat intelligence to plan for modern adversaries enables utilities providers can increase confidence and effectiveness against such threats.”
Experts believe the group posted what appeared to be stolen identification documents but it is not clear how the criminals managed to misidentify the victim company.
Alongside releasing files, the group criticised the company’s security and suggested that other hackers could break into the network and cause significant damage.
Cl0p typically encrypts the files on victims’ computer networks to make the IT systems unusable unless those victims make an extortion payment, often stretching into the millions of dollars.
In this instance, Cl0p claims to have decided not to encrypt the company’s files. Instead it is demanding an extortion payment to prevent the release of the stolen data, and to explain how it managed to break in to the network.
The group claims to be able to access the company’s SCADA (supervisory control and data acquisition) systems which are the software used to manage industrial processes, such as those at water treatment facilities.
In another unverified claim which is disputed by South Staffs Water, the extortionists state: “It would be easy to change chemical composition for their water but it is important to note we are not interested in causing harm to people.”
Most water companies have sophisticated systems in place to ensure the quality of their water, including several checks and balances which are resilient against individual subsystem failures.
Ransomware groups often over-state their access into victims’ networks for the sake of extortion, expecting that their claims will be amplified in damaging news headlines.
The UK’s National Cyber Security Centre (NCSC) advises organisations not to make extortion payments as they do not guarantee any actions from the attackers, and also directly contribute to the successes of the criminal enterprise.
NCSC’s chief executive, Lindy Cameron, said earlier this year: “Ransomware remains the biggest online threat to the UK and we do not encourage or condone paying ransom demands to criminal organisations.
“Unfortunately, we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend.
“Cyber security is a collective effort and we urge the legal sector to work with us as we continue our efforts to fight ransomware and keep the UK safe online.”
A government spokesman said: “We are aware that South Staffordshire Plc has been the target of a cyber incident. Defra and NCSC are liaising closely with the company.
“Following extensive engagement with South Staffordshire Plc and the Drinking Water Inspectorate, we are reassured there are no impacts to the continued safe supply of drinking water, and the company is taking all necessary steps to investigate this incident.”
