Ransomware attack on UK water company clouded by confusion

Clop gang thought it hit Thames Water – but real victim was elsewhere

A water company in the drought-hit UK was recently compromised by a ransomware gang, though initially it was unclear exactly which water company was the victim.

Clop, a prolific Russian-speaking gang known for extorting industrial organizations, claimed on its website that it had broken into and stolen data from Thames Water – which supplies water to about 15 million people, including those in the capital, London.

The cybercriminals said that after negotiations with the water company broke down, they published a raft of stolen documents, from passport scans and driver's licenses to screenshots of software user interfaces. They claimed to have more than 5TB of data taken from the victim organization, as well as access to some SCADA systems.

They also taunted Thames Water, writing they had spent months inside the company's network and that it had "very bad holes in their systems."

That said, despite the bravado, the Clop crew was wrong about what biz it had targeted. The group didn't break into Thames Water, located in the south of England. In fact, it had attacked South Staffordshire in the Midlands, the parent company of South Staffs Water – which has 1.6 million customers – and Cambridge Water.

The mix-up could be seen from a list of usernames and passwords, including email addresses linked to South Staffordshire.

Thames Water issued a brief statement to customers disputing what it called a "cyber hoax," noting media reports that the company was under attack.

"We want to reassure you that this is not the case and we are sorry if the reports have caused distress," the org wrote. "As providers of an essential service, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide you with the services and support you need from us."

South Staffordshire issued its own statement, saying that the cyberattack hadn't affected its water operations and that both South Staffs and Cambridge were supplying water to all customers.

"This is thanks to the robust systems and controls over water supply and quality we have in place at all times as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis," officials wrote.

The company admitted that its corporate IT network was disrupted and that it is working with government and regulatory agencies to investigate the intrusion.

Within a couple of days, Clop updated its website, saying it was South Staffordshire that it attacked, and not Thames.

Fresh meat

Darren Williams, founder and CEO of cybersecurity firm BlackFog, noted the rush among threat groups to find victims in an increasingly crowded cybercrime field.

"With the rise of ransomware as a main attack method, criminals are running rampant to find any vulnerable systems they can take over," Williams told The Register in an email. "Whilst Clop did successfully breach South Staffordshire Water's systems, they totally missed the mark here, claiming responsibility for a breach that didn't happen."

However, though it might be embarrassing to the ransomware gang to misidentify its victim, the fact that it was targeting a water company "is quite harrowing," he said. "Severe drought conditions currently preside over the UK, with millions of households facing strict water usage restrictions. Clearly, attackers want to hit us where it hurts the most."

Chris Vaughan, area vice president of technical account management for EMEA for Tanium, noted the increasing attacks on utilities and other critical infrastructure.

"This is a trend which, unfortunately, I expect to continue," Vaughn told The Register in an email. "It's also a worrying reflection of the rapidly growing ransomware market, with major incidents being reported regularly. These attacks are growing in sophistication, and criminal gangs are becoming more targeted in their approach and increasing the huge sums of money that they are demanding."

Clop has been an active ransomware group over the past several years. According to a report earlier this year by Trend Micro, the malware evolved from a variant of the CryptoMix ransomware family and was first tagged with the Cl0p name in 2019. It operates as a ransomware-as-a-service (RaaS) model and the group uses multilevel extortion methods, including publicly leaking data if its ransom demands aren't met.

A year ago, six suspected members of the gang were arrested in Ukraine. Trend Micro noted reports that only parts of the ransomware group's operations were disrupted, including the server infrastructure used by affiliates and channels needed for laundering cryptocurrency-based ransom payments.

"While the arrests in Ukraine might have dealt a big blow to Clop's operations, the group's criminal activities have gone unabated," Trend Micro researchers wrote. "Our detections of attack attempts showed non-stop malicious activities from January 2021 to January 2022."

The cybersecurity firm estimated that through November 2021, the Clop group had pulled in $500 million.

The ransomware gang faded from the spotlight after the arrests, but according to NCC Group eggheads, it came back with a vengeance in April – racking up 21 victims, compared to just one in March.

"The increase in Clop's activity seems to suggest they have returned to the threat landscape," Matt Hull, global lead for strategic threat intelligence for NCC, wrote in a report. "Organizations within Clop's most targeted sectors – notably industrials and technology – should consider the threat this ransomware group presents, and be prepared for it."

Tanium's Vaughn said that protecting an organization from ransomware and other attacks "comes down to ensuring security defenses are up to date, appropriately configured, and by making sure employee behavior is driven towards best practices." ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022