Hackers infiltrated the corporate-side of a utility that supplies water to about 1.3 million people in the United Kingdom. However, the apparent data breach may not have been the one the cyber-criminals were aiming for.
Ransomware gang ClOP (previously responsible for one of 2021's biggest hacks) claimed to have infiltrated Thames Water, the United Kingdom’s largest drinking water utility, on Monday, according to a report from Bleeping Computer. However, the utility denied any breach of its system. Meanwhile, another UK utility, South Staffordshire Water, confirmed it was attacked.
Thames Water services 15 million people, more than ten times the scale of South Staffordshire. So, although any attack on a public utility is clearly bad, there’s a big difference between the scale of what ClOP claimed and what utilities copped to.
Hackers’ Claims Against Utilities
South Staffordshire PLC (the parent company of South Staffordshire Water) admitted its corporate IT network had been accessed by hackers, in a public statement published Monday. However, SSW didn’t indicate that they’d been contacted for ransom. “We are experiencing disruption to our corporate IT network and our teams are working to resolve this as quickly as possible. It is important to stress that our customer service teams are operating as usual,” the company wrote. The water provider further claimed that “this incident has not affected our ability to supply safe water.”
Aside from the company statements, evidence of the reported cyber-criminal confusion appeared in screenshots that Bleeping Computer published from ClOP’s Tor site. The cyber gang reportedly wrote that they had breached and “spent months in” Thames Water’s system. However, to back up their hack success, they posted email lists clearly associated with South Staffordshire Water (not Thames) employees and published leaked documents, one of which was explicitly addressed to SSW.
Yes, not noticing that you’ve hacked the wrong utility seems like a silly mistake to make, but anything is possible. Another thing that could be possible is that both utilities were actually targeted in cyber attacks, and Thames either didn’t notice or didn’t admit its own security failing. Note: Thames Water did indicate some service disruption on their site on Monday, but that was later attributed to a burst pipe and could easily have been unrelated.
Neither South Staffordshire Water, nor Thames Water immediately responded to Gizmodo’s request for comment.
What Are The Implications?
Any security breach or attack on a critical public service or utility is rightfully unsettling. Last year, a cyber-attacker attempted to poison a Florida Town’s water supply, and revealed just how weak utilities’ security protections can be. Though the hackers in this case may have fumbled, it’s still pretty scary that they were able to disrupt any function of a water provider at all.
Security experts have long warned of the risk that the energy grid, water supply, and other basic societal supports could be vulnerable to hacks. And unfortunately, the problem might be getting worse. “Although this attack appears to have been relatively benign, it does set a worrying precedent,” Jamie Akhtar, CEO of security startup CyberSmart, told the BBC.