Confused cyber criminals have hacked a water company in a bizarre case of mistaken identity

A company which provides 1.6 million people with drinking water says it has been targeted by cyber criminals -- who appear to mistakenly believe they've tapped into a different water supplier.
Written by Danny Palmer, Senior Writer
Image: Getty/Kentaroo Tryman

A water company that supplies drinking water to over 1.6 million people in the UK says it has been hit by a cyber attack. But the criminal gang involved appears to have claimed it had breached a different water utilities firm.

South Staffordshire Water says it has been the "target of a criminal cyber attack" which is causing disruption to its corporate IT network, but hasn't affected the company's ability to provide safe drinking water to customers. 

"This is thanks to the robust systems and controls over water supply and quality we have in place at all times as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis," the company said in a statement. 

South Staffordshire Water hasn't divulged the nature of the cyber attack it has suffered, but the company revealed that it had been targeted by criminal hackers shortly after the Clop ransomware gang claimed to have hit another water company, Thames Water, who say that reports they've been breached are a "cyber hoax". 

"We are aware of reports in the media that Thames Water is facing a cyber attack. We want to reassure you that this is not the case," the company said. 

"As providers of an essential service we take the security of our networks and systems very seriously and are focussed on protecting them, so that we can continue to provide you with the services and support you need from us". 

In a statement posted to its leak site, Clop claimed it has spent "months" in the company system. If that's the case, it's unclear why the ransomware gang thought it was in the network of Thames Water if it had actually breached the network of South Staffordshire Water -- two separate companies that provide water to different parts of the UK. 

SEE: Ransomware: Why it's still a big threat, and where the gangs are going next

The ransomware hackers also claim to have access to SCADA (Supervisory Control and Data Acquisition) industrial control systems that control chemicals in the water, a claim that South Staffordshire Water refutes. "This incident has not affected our ability to supply safe water," the company said.

While Clop claims to have access to the network, the gang says it has not encrypted it, claiming "we do not attack critical infrastructure". Despite that, Clop claims to have stolen more than 5TB of data and is trying to extort a ransom payment in exchange for not releasing it.

It's currently unclear what sort of ransom demand has been made, or if the demands have been met – particularly if the attackers were apparently trying to extort a payment from the wrong target.

South Staffordshire Water says it's "working closely with the relevant government and regulatory authorities" and that it will keep them, and customers, updated as investigations into the incident continue. 

"We are aware that South Staffordshire Plc has been the target of a cyber incident. Defra and NCSC are liaising closely with the company," a government spokesperson told ZDNET. 

"Following extensive engagement with South Staffordshire Plc and the Drinking Water Inspectorate, we are reassured there are no impacts to the continued safe supply of drinking water, and the company is taking all necessary steps to investigate this incident."

ZDNet has contacted South Staffordshire Water but is yet to receive a response at the time of writing, while a National Cyber Security Agency (NCSC) spokeperson told us that it's not possible to comment on an ongoing incident. 

NCSC CEO Lindy Cameron recently described ransomware as "the biggest global cyber threat we still face" and the cybersecurity agency has warned victims not to pay ransoms so as to not encourage further attacks. 

Members of the Clop ransomware gang were arrested in a sting by Ukrainian police last year, but this attack, alongside others, shows that the group seemingly remains active. 


Editorial standards