South Staffordshire Water was the target of a “bungled or interrupted” cyberattack by the CLOP ransomware group this week but the company says there is no impact on water supply or the safety of drinking water.

Ransomware group CLOP claimed to have gained access to the systems that control chemical levels in water supplies (Photo: BrianAJackson/iStock)
Ransomware group CL0P claimed to have gained access to the systems that control chemical levels in water supplies (Photo courtesy of BrianAJackson/iStock)

The business, which owns the Cambridge Water and South Staffs Water suppliers, says it is still experiencing disruption to its corporate IT network and has teams working as quickly as possible to restore full functionality. It has not elaborated on the type of disruption caused to its systems.

“As you’d expect our number one priority is to continue to maintain safe public water supplies,” the company said in a statement on its website, adding that the incident had not affected its ability to supply safe water thanks to a “robust system” of controls over water quality and supply.

To ensure the cyberattack doesn’t spread to water supply systems the company says it has put additional security measures in place on a precautionary basis.

“We are working closely with the relevant government and regulatory authorities and will keep them, as well as our customers, updated as our investigations continue,” the company said in a statement.

Confusion over South Staffordshire Water attack

There was some confusion when the attack was first detected on Monday, with the alleged perpetrators, ransomware gang CL0P, initially claiming to have hit Thames Water. Cybersecurity researcher Daniel Card was one of several experts that reviewed some of the files shared by CL0P, finding the group had the name of the company it hacked wrong and it was in fact South Staffordshire Water. This was later confirmed by South Staffordshire.

CL0P claimed it had hacked the company, gained access to 5TB of data and had the ability to change the chemical composition of the water supply. Writing on its dark website, the gang said: “It would be easy to change chemical composition for their water but it is important to note we are not interested in causing harm to people.”

The group released some of the files, including identification documents and driver declaration forms and criticised the company’s security, saying other hackers could break in and cause significant damage.

Unusual ransomware attack

Having been dormant since the arrest of several gang members last year, CL0P has made a resurgence in recent months. It typically encrypts the files on a victim’s computer network and asks for money to unlock them, but in this instance it didn’t encrypt the files and instead is asking for money to prevent the release of the stolen data and for information on how it entered the network.

A government spokesperson said they were aware of the incident and both Defra and the NCSC were liaising closely with the company. “Following extensive engagement with South Staffordshire Plc and [regulator] the Drinking Water Inspectorate, we are reassured there are no impacts to the continued safe supply of drinking water and the company is taking all necessary steps to investigate this incident,” the spokesperson said.

Martin Riley, director of managed security services at cybersecurity company Bridewell says it looks like it may have been failed or interrupted attempt given the change in approach to releasing the data.

“Ransomware operators don’t discriminate, and critical infrastructure operators are not safe either,” he says. “The NCSCs cyber assessment framework, implementing the NIS Regulations really does help operators of essential infrastructure secure their organisations.”

Research by Bridewell into the state of cybersecurity in the UK’s critical national infrastructure sector found that 78% of cybersecurity leaders working for utility companies believe they are likely to be significantly disrupted by ransomware at some point in the next year.

The majority also felt the number of attacks had increased with more innovative approaches from cybercriminals outpacing the security strategies to combat them, according to Bridewell.

Just over a third have technical controls to prevent unauthorised access to systems that would stop key directories and files from being deleted, overwritten or encrypted – the key hallmarks of a ransomware attack. When it comes to deciding whether to pay the ransom to unlock those files again, 28% of UK utilities have a plan in place.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: Operational technology devices riddled with vulnerabilities, study finds