South Staffordshire Water “has been the target of a criminal cyber attack”, the company has confirmed.
In a statement, it stressed it “continues to supply safe water to all our Cambridge Water and South Staffs Water customers”.
“This is thanks to the robust systems and controls over water supply and quality we have in place at all times, as well as the swift work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis- basis.”
The statement was released after a ransomware group known as Cl0p claimed to have hacked another water company’s network.
Using its Darknet site as part of a botched online extortion effort, the group posted what appeared to be stolen identification documents.
It is not clear how the criminals managed to misidentify the victim company.
In addition to releasing files, the group criticized the company’s security and suggested that other hackers could break into the network and cause significant damage.
Cl0p typically encrypts the files on the victims’ computer networks to render the IT systems unusable unless the victims pay extortion, which often runs into millions of dollars.
In this case, Cl0p claims to have decided not to encrypt the company’s files. Instead, it demands an extortion payment to prevent the release of the stolen data, and to explain how it managed to break into the network.
The group claims to have access to the company’s SCADA (supervisory control and data acquisition) systems, which are the software used to manage industrial processes, such as at water treatment plants.
In another unverified claim disputed by South Staffs Water, the extortionists state: “It would be easy to change the chemical composition of your water, but it is important to note that we are not interested in harming people.”
Most water companies have sophisticated systems in place to ensure the quality of their water, including multiple checks and balances that are resilient to individual subsystem failures.
Ransomware groups often exaggerate their access to victims’ networks for extortion, expecting their claims to be amplified in damaging news headlines.
The UK’s National Cyber Security Center (NCSC) advises organisations not to make extortion payments as they do not guarantee any actions of the attackers and also directly contribute to the successes of the criminal enterprise.
Ransomware ‘biggest threat online’
NCSC chief executive Lindy Cameron said earlier this year: “Ransomware remains the biggest cyber threat to the UK and we do not encourage or condone paying ransoms to criminal organisations.
“Unfortunately, we have seen a recent increase in payments to ransomware criminals and the legal sector has an important role to play in helping to reverse that trend.
“Cybersecurity is a collective effort and we encourage the legal sector to work with us as we continue our efforts to fight ransomware and keep the UK safe online.”
In its statement, South Staffs said: “We are experiencing disruption to the company’s IT network and our teams are working to resolve this as quickly as possible. It is important to stress that our customer service teams are operating as normal.”
A government spokesperson said: “We are aware that South Staffordshire Plc has been the target of a cyber incident. Defra and the NCSC are in close contact with the company.
“Following extensive engagement with South Staffordshire Plc and the Drinking Water Inspectorate, we are confident that there is no impact on the continued safe supply of drinking water and the company is taking all necessary steps to investigate this incident.”