It has been reported that South Staffordshire Water “has been the target of a criminal cyber attack”, the company has confirmed. In a statement, it stressed it was “still supplying safe water to all of our Cambridge Water and South Staffs Water customers”.
Cl0p Ransomware Organization Has Claimed Responsibility
Although South Staffordshire Water withheld information about the breach’s nature, the Cl0p ransomware organization has claimed responsibility.
I guess, sort of. The attackers in this case made a critical error: they failed to remember which organization they broke into.
The extortionists claimed they had violated Thames Water in an internet posting made just before South Staffordshire Water issued its statement.
The criminal organization published stolen documents purportedly verifying the compromise on the dark web. The seized data, however, didn’t support their assertion, raising questions about the accuracy of the attack.
But now that the attack has been confirmed by the victim, there is no longer any doubt.
Will South Staffordshire Water Pay the Ransom?
Concerning whether it will pay the ransom, South Staffordshire Water has not yet made any comments. Experts advise against it, in part because there is no assurance that the offenders will honor their promises after receiving payment.
There is also the moral question, as successful ransom demands encourage other attacks and aid in funding other criminal activities.
South Staffordshire Water can stay out of negotiations entirely if it has reliable backups in place. Instead, it can erase the affected systems and reconstruct them in a secure setting.
Even if it paid the ransom and unencrypted its files, the process would take time and result in further delays.
The Damage Severity
Additionally, South Staffordshire Water may discover that the damage isn’t as severe as it first seems once it conducts further research into the breach. Ransomware organizations frequently exaggerate their claims in an effort to scare victims into paying the ransom.
Initial research indicates that this may have been the situation in this instance. “We are aware that South Staffordshire Plc has been the target of a cyber intrusion,” a government spokesperson stated. The corporation and Defra and NCSC are in frequent contact.
We are reassured that there are no effects on the ongoing safe supply of drinking water following considerable discussion with South Staffordshire Plc and the Drinking Water Inspectorate, and the company is taking all required actions to examine this event.
Critical national infrastructure is no exception for cyber criminals, as the latest ransomware attack on South Staffordshire Water shows. It’s particularly concerning at a time when the UK is facing water shortages as a result of the heatwave.
Now, governments and businesses alike face the threat of bigger, more sophisticated attacks from ransomware – ones where cyber criminals have worked methodically to develop software to steal vast quantities of data, and where they can take advantage of vulnerabilities that come with multiple user access points.
Ransomware has become so effective that many organisations have simply paid ransom, sometimes to the tune of thousands of pounds. Multiple security controls must be standard best practice for cyber security, to reduce the risk of ransomware along with other malicious malware threats.
The timing of this attack undoubtedly capitalizes on the public’s very real concerns about the insecurity of water treatment facilities and the timing of its data leak during a drought in the UK is beneficial to negotiations. In this context, the misattribution of the data to Thames Water – rather than South Staffordshire – could be seen as a deliberate tactic to induce more fear, as Thames Water is the largest water and wastewater services company in the UK. The leak of data from the water company’s corporate IT systems is serious but the real concern here is Cl0P’s claim that it has compromised operational technology that could impact water supply. South Staffordshire has reassured the public that there is no disruption to operational technology but even if Cl0P’s claims are inflated it may still suit their aim to cause as much fear as possible.
Threat actors want to put decision makers in a morally impossible situation by targeting the availability of their operations so that they have no choice but to pay ransoms in order to get their services back up and running. Despite, contradicting statements between South Staffordshire Water and the Cl0p ransomware group, what is clear, is that cyber criminals are moving beyond operational availability to human risk with critical infrastructure attacks for maximum liability and monetary gain by trying to contaminate safe water supplies and put lives at risk.
Ransomware gangs know that poisoning water supplies could end in fatalities, and this is exactly the leverage they want for the highest possible ransom. We saw in February 2021 that Water treatment and Supply environments are Globally at risk, when a ransomware group tried to poison Florida’s citizens after remotely controlling the computer operating a facility’s water treatment system.
These groups are not interested in the consequences of their attack as long as their victim pays a ransom. Unfortunately, this tactic is working. In 2021, 80% of critical infrastructure organisations experienced a ransomware attack, and 62% paid the ransom.
Ransomware attacks like these are exponentially increasing, and as critical infrastructure organisations digitally transform and connect cyber-physical systems to their networks, they will only increase exposure areas. Cyber-physical systems such as operational technology (OT), Internet of Things (IoT) devices and Industrial IoT (IIoT), are not designed with cybersecurity in mind, meaning they can have a number of vulnerabilities for threat actors to exploit.
In order to close these security gaps, security teams must have full visibility across all the devices on their networks, including both IT and OT (operational technology) as well as any XIOT connected devices, start patching and segmenting or implementing security controls where urgent. It is fundamental that specialist OT Cyber tools are used on networks, so they are segmented with asset class network policies to restrict unnecessary connectivity from anomaly detection; ultimately limiting the movement of malware and mitigating the human risk impact of cyber attacks.
Hackers are unscrupulous and this has been reaffirmed once more by the breach at UK-based utility supplier, South Staffordshire Water. Attacks to critical infrastructure at times of extreme pressure are becoming commonplace. It is no coincidence that at this time when water companies are already fighting the impact of extreme heat and resulting drought, that the attack has hit, as ransomware continues to be a cash cow for cybercriminals.
The nation’s critical infrastructure, such as healthcare, emergency services and utilities sector organisations, have become prime targets. These threats of disruption for such essential services force the public sector to rapidly decide whether to pay the ransom or not.
To avoid becoming the latest victim, utility IT security needs to span the whole complex IT estate including back-office and often multi cloud systems as well as specialist control and project management systems. IT teams need visibility across all of the technology infrastructure so that they can implement effective disaster recovery plans. By backing up data, scanning networks and deploying strong encryption, potential victims take back the power from hackers, leaving them unable to perform extreme levels of extortion. We’re seeing more organisations turn to autonomous AI data management solutions that help IT administrators to monitor, archive, back-up and protect data more rapidly so that any problems are rapidly identified and prevented from escalating. Although there’s no magic fix-all yet as hackers methods continue to evolve, AI and skilled IT administrators are essential to helping organisations stay on top of the relentless beat of cyber crime.
The potential for cybercrime to be used as a tool in warfare is real. This attack on South Staffordshire Water is a reminder that no organisation is safe, and every citizen has a role to play in digital fortification, whether it’s protecting a country, a company or a consumer.
Awareness and vigilance are vital weapons in our response to these threats. Power comes through knowledge about how cyber attacks could happen, and flagging them to the UK’s national reporting centre for fraud and cyber crime. This is why cyber security training shouldn’t just be a tick-in-the-box exercise, but an ongoing journey of education for us all.