UK water supplier confirms hack by Cl0p ransomware gang

Ransomware mockup with dark red colour scheme, a lock denoting encryption, and binary code set in the backdrop
(Image credit: Getty Images)

The Cl0p ransomware group has claimed an attack on UK-based utility supplier South Staffs Water after misattributing the attack to a different company.

South Staffs Water confirmed the attack on Monday, saying it was “experiencing disruption to [its] corporate IT network”, but did not state the attack was ransomware in nature.

Cl0p published a trove of stolen documents on its leak blog on Monday, including passport scans, spreadsheets, drivers' licences, screenshots of wastewater treatment software user interfaces, and more.

It also claimed to have access to more than 5TB worth of data belonging to the hacked company which it falsely believed to be Thames Water, despite many of the published documents clearly showing South Staffs Water as the victim.

“Thames Water supply much of critical water services to people and companies,” read a statement from the ransomware gang. “Companies like this have much responsibility and we contact them and tell them that they have very bad holes in their systems. All systems.

“We spent months in the company system and saw first-hand evidence of very bad practice. This company is all for money and not deliver reliable service,” Cl0p added. “It is better to save one pound so management can make bonuses and stock price do well. They lost way when only concentration on finance.”

It also agreed to not encrypt any of the data belonging to the victim because doing so would violate the group’s policy to not attack critical infrastructure or healthcare organisations, it said.

Its unorthodox approach to ransomware saw it allegedly exfiltrate data from the water supplier and request money for its return, rather than locking staff out of their environments.

According to Cl0p, the outside negotiators working on South Staffs Water’s behalf offered a low sum for the data’s return and for information on how it was able to breach the supplier, an amount Cl0p branded a “joke”.

Cl0p said it had access to “every system” including supervisory control and data acquisition (SCADA) software used for managing industrial processes. In this case, Cl0p claimed it had access to the tools that controlled the chemical composition of water supplies.

Although it also said that the supplier ‘does not need to be afraid’ since the group will not maliciously tamper with systems, but warned other groups may not be as sympathetic.


Introducing IBM Security QRadar XDR

A comprehensive open solution in a crowded and confusing space


Ransomware organisations often differ in terms of their philosophies and moral codes. Some outfits like the now-shuttered Conti were open in their amoral approach to ransomware.

The group was well known for being content with attacking big businesses as well as more sensitive organisations like charities and healthcare groups, such as US-based reproductive healthcare non-profit Planned Parenthood.

Ransomware criminals are also known for embellishing the truth of their attacks, sometimes claiming they have access to certain information when perhaps they may have merely seen the files on a drive, rather than stolen them or have the necessary privileges to access them.

Earlier this year, LockBit famously claimed an attack on cyber security giant Mandiant which turned out to be false and merely a PR stunt. Okta also revealed that the attack on the company by LAPSUS$ in March was overblown by the hackers' account of events.

Little information on the attack was offered by South Staffordshire PLC, the parent company of water supplier South Staffs Water, in a disclosure notice.

It confirmed that the company was still supplying water to Cambridge Water and South Staffs Water customers, a combined 1.6 million customers. It said this “is thanks to the robust systems and controls over water supply and quality we have in place at all times as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis.”

The company’s customer service teams are operating as usual and the appropriate authorities and regulators have been notified, it added.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.