Water systems at South Staffordshire breached, leading to disruption in IT network

Cyber attackers have targeted South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water, the company confirmed in a statement. The firm said it is working closely with the relevant government and regulatory authorities and will keep them and its customers updated as the company’s investigations continue.

South Staffordshire is “experiencing disruption to our corporate IT network and our teams are working to resolve this as quickly as possible. It is important to stress that our customer service teams are operating as usual,” the statement said on Monday. The company did not provide details on the nature of the attack, the number of systems affected, or whether the operational technology (OT) systems were affected.

The water company said that the incident “has not affected our ability to supply safe water, and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers. This is thanks to the robust systems and controls over water supply and quality we have in place at all times, as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis,” it added.

South Staffs Water supplies high-quality drinking water to approximately 1.3 million people and about 35,000 commercial customers across 1,500 square km. The company services the West Midlands, South Staffordshire, South Derbyshire, North Warwickshire, and North Worcestershire areas.

The attack against South Staffordshire comes at a time when reports are coming in that the Clop ransomware gang claimed Thames Water as their victim via an announcement on their onion site. The gang alleges to have accessed SCADA (supervisory control and data acquisition) systems they could manipulate to cause harm to 15 million customers.

“The hackers allege to have informed Thames Water of its network security inadequacies and claim that they acted responsibly by not encrypting their data and only exfiltrating 5TB from the compromised systems,” Bleeping Computer wrote in an article on Tuesday.

Thames Water said in a statement that it is aware of reports in the media that it is facing a cyber attack and “want to reassure you that this is not the case and we are sorry if the reports have caused distress.”

As providers of an essential service, “we take the security of our networks and systems very seriously and are focused on protecting them so that we can continue to provide you with the services and support you need from us,” Thames Water added in its statement.

The Bleeping Computer report also ​​revealed that among the published evidence, Clop presents a spreadsheet with usernames and passwords, which features South Staff Water and South Staffordshire email addresses.

Commenting on the cyber attack, Darren Williams, CEO and founder at BlackFog, said in an emailed statement that “with the rise of ransomware as a main attack method, criminals are running rampant to find any vulnerable systems they can take over. Whilst Clop did successfully breach South Staffordshire Water’s systems, they totally missed the mark here, claiming responsibility for a breach that didn’t happen.”

“Nevertheless, whilst misidentification of their target is somewhat embarrassing, the very fact that a water board is their latest victim is quite harrowing: severe drought conditions currently preside over the UK, with millions of households facing strict water usage restrictions. Clearly, attackers want to hit us where it hurts the most,” according to Williams. “All organizations must remember how crucial it is to secure your environment and prevent data exfiltration at the endpoint if we are to prevent cataclysmic scarcities in our critical infrastructure supply chain,” he added.

Attacks against water systems are not new. Last year, unidentified cyber attackers gained access to a panel that controls the water treatment plant at the city of Oldsmar near Tampa, Florida. The modification in the setting would have drastically increased the amount of sodium hydroxide in the water supply, officials from Pinellas County in Florida.

Dragos researchers later discovered that an unnamed Florida water utility contractor hosted malicious code on their website, seemingly targeting water utilities, particularly in Florida. More significantly, the code was accessed by a browser from the city of Oldsmar on the same day as the poisoning event at the city’s water utility. The hacker is believed to have inserted the malicious code into the footer file of the WordPress-based site associated with a Florida water infrastructure construction company, Dragos pointed out in its report last May.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.