According to the BBC, South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water, said it discovered its ransomware attackers (Cl0p/Clop) may have exfiltrated and potentially leaked bank details of its customers, although how many customers is currently unknown. South Staffs updated its website disclosing that “names and addresses of account holders, together with the sort codes and account numbers used for Direct Debit payments all could have been accessed by hackers.” While the investigation is still ongoing, South Staffs has begun notifying potentially impacted customers.

The incident occurred on August 16, and this update is a reminder how it often takes weeks or months to determine what happened, what data may have been stolen, along with determining any additional consequences. As a reminder, despite initial screenshots shared by the threat actors, this compromise is only believed to have impacted IT systems and the ability to supply safe water was unaffected.

For more musings and an objective look at the South Staffs compromise, check out SynSaber’s analysis:

• South Staffs Water Hack - An Objective Look (Part 1)
• South Staffs Water Hack - An Objective Look (Part 2)

(August 16, 2022) Ransomware Group with a Penchant for Critical Infrastructure Attempts to Extort UK Water Entity

Multiple news outlets reported yesterday that the Cl0p ransomware group was claiming responsibility for a ransomware attack at a UK water utility. According to the initial leak notification, Cl0p actors claim to have access to Thames Water, but the data seems to point to and be confirmed as South Staffordshire PLC. The confusion could notably have had both organizations scrambling for a bit. Fortunately, the actual impacted utility set the record straight (for the attackers) in a statement: South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water, has been the target of a criminal cyber-attack. While Cl0p claims to have access to SCADA systems and SecurityWeek posted a screenshot of an HMI supposedly captured by the attackers, at the time of this writing the claims remain unsubstantiated. Furthermore, there are no identifiable markings on the screenshot to indicate who the control panel belongs to, the ability to make changes, or if the screenshot is nothing more than a random static image grabbed from anywhere. Likewise, South Staffs states that only its corporate IT network is experiencing disruption.

Cl0p is a notable threat to the water and wastewater sector because it primarily targets critical infrastructure organizations. Prior reports cite that Clop has most targeted the industrial sector, with 45% of its ransomware attacks hitting industrial organizations and 27% targeting technology companies. Even after experiencing law enforcement disruptions during mid-2021, Cl0p resurfaced earlier this year, heavily exploiting Accellion's legacy File Transfer Appliance (FTA) vulnerabilities (CISA Alert: Exploitation of Accellion File Transfer Appliance). Reportedly, the list of companies that had their Accellion FTA servers hacked by Cl0p includes, among others, energy giant Shell, cybersecurity firm Qualys, supermarket giant Kroger, and multiple universities worldwide (the University of Colorado, University of Miami, Stanford Medicine, University of Maryland Baltimore (UMB), and the University of California). A comment in a recent BleepingComputer post offers food for thought regarding cyber threat actors potential target selection of critical infrastructure during extreme weather conditions: Cybercriminals don’t pick their targets randomly, as hitting water suppliers during harsh drought periods could apply insurmountable pressure to pay the demanded ransom. Likewise, that consideration seems reminiscent to what occurred at Onslow Water and Sewer Authority (ONWASA) in October 2018 in the wake of Hurricane Florence – North Carolina Water Utility Reports Ransomware Attack that Will Affect Service for Weeks.

Members are encouraged to continue pursuing ransomware resilience activities to reduce the risk from succumbing to a ransomware incident and reducing time of restoring systems when you do. From preparation to protection and response, CISA’s StopRansomware.gov is a recommended resource for all. Check out more on the incident at SecurityWeek and SkyNews.