The Cl0p ransomware group has claimed an attack on UK-based utility supplier South Staffs Water after misattributing the attack to a different company.
South Staffs Water confirmed the attack on Monday, saying it was “experiencing disruption to [its] corporate IT network”, but did not state the attack was ransomware in nature.
Cl0p published a trove of stolen documents on its leak blog on Monday, including passport scans, spreadsheets, drivers' licences, screenshots of wastewater treatment software user interfaces, and more.
It also claimed to have access to more than 5TB worth of data belonging to the hacked company which it falsely believed to be Thames Water, despite many of the published documents clearly showing South Staffs Water as the victim.
“Thames Water supply much of critical water services to people and companies,” read a statement from the ransomware gang. “Companies like this have much responsibility and we contact them and tell them that they have very bad holes in their systems. All systems.
“We spent months in the company system and saw first-hand evidence of very bad practice. This company is all for money and not deliver reliable service,” Cl0p added. “It is better to save one pound so management can make bonuses and stock price do well. They lost way when only concentration on finance.”
It also agreed to not encrypt any of the data belonging to the victim because doing so would violate the group’s policy to not attack critical infrastructure or healthcare organisations, it said.
Its unorthodox approach to ransomware saw it allegedly exfiltrate data from the water supplier and request money for its return, rather than locking staff out of their environments.
According to Cl0p, the outside negotiators working on South Staffs Water’s behalf offered a low sum for the data’s return and for information on how it was able to breach the supplier, an amount Cl0p branded a “joke”.
Cl0p said it had access to “every system” including supervisory control and data acquisition (SCADA) software used for managing industrial processes. In this case, Cl0p claimed it had access to the tools that controlled the chemical composition of water supplies.
Although it also said that the supplier ‘does not need to be afraid’ since the group will not maliciously tamper with systems, but warned other groups may not be as sympathetic.
RELATED RESOURCE
Introducing IBM Security QRadar XDR
A comprehensive open solution in a crowded and confusing space
Ransomware organisations often differ in terms of their philosophies and moral codes. Some outfits like the now-shuttered Conti were open in their amoral approach to ransomware.
The group was well known for being content with attacking big businesses as well as more sensitive organisations like charities and healthcare groups, such as US-based reproductive healthcare non-profit Planned Parenthood.
Ransomware criminals are also known for embellishing the truth of their attacks, sometimes claiming they have access to certain information when perhaps they may have merely seen the files on a drive, rather than stolen them or have the necessary privileges to access them.
Earlier this year, LockBit famously claimed an attack on cyber security giant Mandiant which turned out to be false and merely a PR stunt. Okta also revealed that the attack on the company by LAPSUS$ in March was overblown by the hackers' account of events.
Little information on the attack was offered by South Staffordshire PLC, the parent company of water supplier South Staffs Water, in a disclosure notice.
It confirmed that the company was still supplying water to Cambridge Water and South Staffs Water customers, a combined 1.6 million customers. It said this “is thanks to the robust systems and controls over water supply and quality we have in place at all times as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis.”
The company’s customer service teams are operating as usual and the appropriate authorities and regulators have been notified, it added.
-
Gender diversity improvements could be the key to tackling the UK's AI skills shortageNews Encouraging more women to pursue tech careers could plug huge gaps in the AI workforce
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
