South Staffordshire Plc, the parent company of utilities Cambridge Water and South Staffordshire Water, has reassured its 1.6 million customers that their water supplies are safe following an apparent Clop (aka Cl0p) ransomware attack that the gang seems to have wrongly claimed as being against a completely different organisation.
The attack unfolded on Monday 15 August, but according to security researcher Daniel Card, who uncovered the breach attribution on Clop’s dark web leak site, the gang seemed to be under the impression that it was attacking and extorting Thames Water, which services properties in London and South East England.
At the time of writing, it remained unclear how the gang managed to misidentify its victim but unfortunately, its erroneous attribution was picked up and run by The Express, among other outlets, although the tabloid has since retracted this misinformation.
In screengrabs shared with Computer Weekly by Searchlight Security researchers, Clop railed against Thames Water, accusing it of malpractice and encouraging customers to sue it. It claimed to have been inside the company’s systems for months, and that it had contacted the victim and demanded money, but “they are not interested to fix”, which is unsurprising given that the gang has not hacked Thames Water.
It said: “Clop is not political organisation and we do not attack critical infrastructure or health organisations. We decide that we do not encrypt this company, but we show them that we have access to more of 5TB of data. Every system including SCADA and these system which control chemicals in water. If you are shocked it is good.”
If the gang does have the ability to control the chemical composition of the water, as its statement implies, this would suggest it may have access to South Staffordshire’s operational technology (OT) systems as well as its IT.
In a statement, South Staffordshire confirmed it was the victim of a “criminal cyber attack” although it did not, explicitly, name Clop.
“As you’d expect, our number one priority is to continue to maintain safe public water supplies,” a spokesperson said. “This incident has not affected our ability to supply safe water and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers.
“This is thanks to the robust systems and controls over water supply and quality we have in place at all times, as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis.
“We are experiencing disruption to our corporate IT network and our teams are working to resolve this as quickly as possible. It is important to stress that our customer service teams are operating as usual.
“We are working closely with the relevant government and regulatory authorities and will keep them, as well as our customers, updated as our investigations continue.”
A spokesperson for Thames Water said: “We are aware of reports in the media that Thames Water is facing a cyber attack. We want to reassure you that this is not the case and we are sorry if the reports have caused distress.
“As providers of an essential service, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide you with the services and support you need from us.”
Ian Parsons, cyber threat intelligence analyst at Bridewell, commented: “With most of Britain facing drought conditions, any disruption to the service of water companies could have far-reaching consequences. Although ransomware operators are not exclusive in their targeting, this makes the incentive to pay any ransom demands more likely.
“Nation state actors cannot be ruled out, especially as previous attacks on water supplies have been linked to sophisticated threat actors. Disruption to critical national infrastructure is an attractive target for nation state groups. However, this is less likely in this instance.
“There have already been several attacks on our critical national infrastructure [CNI] in 2022 and recent Bridewell research shows the utilities industry remains a highly targeted CNI sector in the UK.”
Parsons said any exploitable vulnerabilities in water supply systems clearly posed significant dangers in terms of risk to public health and safety, making it even more important for water companies to do their utmost to ensure security.
“While security teams and engineers do fantastic work to manage a complex security ecosystem, the problem is that many of the systems currently in use were built prioritising efficiency over security,” he said. “To successfully drive cyber security improvements, operators face the challenge of maintaining system uptime while undergoing operationally and technically complex upgrades.
“To build cyber resilience, organisations should implement a robust cyber security transformation process, using the NCSC’s Cyber Assessment Framework and NIS Regulations as guidance. By combining best practice with modern techniques such as threat intelligence to plan for modern adversaries, utility providers can increase confidence and effectiveness against such threats.”
Censornet CEO Ed Macnair added: “Preventing sensitive data and intellectual property from leaking into the hands of cyber criminals is vital to ensuring the safe supply of water, particularly in a drought. Attackers are always looking for ways to cause maximum damage, disruption and, of course, gain valuable personal information. And they are increasingly bringing the fight into the public domain.
“Once again, we are reminded why it is important to stop ransomware before it has had a chance to take hold. Those who pay are statistically more likely to be attacked again – 20% of mid-market businesses end up paying a ransom to hackers and the average pay-out stands at £144,000. Responding to ransomware comes down to limiting the reputational and financial damage of the breach, while carefully considering the ethical and legal implications of paying a demand.
“As ransomware attacks continue to become more sophisticated, the ability to react with speed and accuracy is imperative. Organisations need to close any gaps in their security posture so cyber defences can work together at lightning speed to stop ransomware and deny cyber criminals any opportunity for extortion.”
Clop resurgent
Although it suffered a major setback last year after Ukrainian authorities busted multiple members of the gang, Clop – which was implicated in a spate of attacks in the spring of 2021 following a supply chain attack on Acellion’s legacy FTA file transfer platform – the Clop gang has kept up its activity.
Indeed, according to Trend Micro data published earlier in 2022, Clop detections remained high following the takedown, while more recent research by NCC suggests the gang saw a return to form in the spring, with its named victims increasing from one in March to 21 in April, making it one of the most active threat actors during the period.
Its most targeted sector at the moment seems to be industrial organisations – South Staffs could be said to be such an organisation – which make up almost half of its victims, although the gang is also interested in compromising tech companies.
“The increase in Clop’s activity seems to suggest they have returned to the threat landscape,” said Matt Hull, NCC global lead for strategic threat intelligence. “Organisations within Clop’s most targeted sectors – notably industrials and technology – should consider the threat this ransomware group presents, and be prepared for it.”