A UK water company has sought to reassure the public that their supply is still safe after reports that its attackers had claimed they could manipulate industrial processes at the firm’s plants.
South Staffordshire PLC, which owns South Staffs Water and Cambridge Water, admitted in a statement on August 15 that it had been the target of a cyber-attack and that it was experiencing disruption to the corporate network.
“As you’d expect our number one priority is to continue to maintain safe public water supplies. This incident has not affected our ability to supply safe water and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers,” it added.
“This is thanks to the robust systems and controls over water supply and quality we have in place at all times as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis.”
However, this runs at odds to statements from infamous ransomware group Cl0p, which reportedly posted data stolen from the water company on its leak site.
Although in a rare slip-up the group apparently misidentified the victim organization, it claimed to not only have plenty of data to leak if South Staffordshire PLC doesn’t pay up, but also access to key systems.
Specifically, it claimed to have access to the SCADA systems which control industrial processes at treatment plants, as well as other facilities, according to Sky News.
"It would be easy to change chemical composition for their water but it is important to note we are not interested in causing harm to people,” the group reportedly said.
It i unclear how the organization was compromised in the first instance. However, a recent report revealed thousands of exposed Virtual Network Computing (VNC) instances managed by global critical infrastructure (CNI) organizations such as water treatment plants, which could enable attackers to access SCADA systems.
It calls to mind a worrying incident in February 2021 when an attacker tried to poison the inhabitants of a Florida city after remotely controlling the computer operating a facility’s water treatment system.