Security Experts:

Connect with us

Hi, what are you looking for?



Ransomware Group Claims Access to SCADA in Confusing UK Water Company Hack

A ransomware group has hit at least one water company in the United Kingdom, but there is some confusion over whose systems were actually breached.

A ransomware group has hit at least one water company in the United Kingdom, but there is some confusion over whose systems were actually breached.

The Cl0p ransomware group has claimed on its Tor-based leak website that it has breached the systems of Thames Water, which advertises itself as the UK’s largest water and wastewater company, serving 15 million people.

However, cybersecurity experts have pointed out that while Cl0p names Thames Water on its site, the files leaked as proof of the breach actually appear to belong to a different water company named South Staffordshire, whose subsidiaries, South Staffs Water and Cambridge Water, serve 1.6 million people and tens of thousands of businesses in the UK.

On its website, Cl0p names Thames Water with the company’s address and revenue, but a phone number and a second address shown on the same page belong to South Staffs Water. Some leaked documents also reference South Staffordshire and South Staffs Water.

Cl0p ransomware attack on UK water company

At least one local British news website posted an alarmist headline — now removed — warning about possible water contamination resulting from the alleged Thames Water hack.

Thames Water issued a statement on Tuesday saying that the media reports are false. Also on Tuesday, South Staffordshire confirmed being targeted by cybercriminals.

South Staffordshire provided few details, but said the incident disrupted its corporate IT network and claimed that its ability to supply safe water has not been affected “thanks to the robust systems and controls over water supply and quality we have in place at all times”.

South Staffordshire reassuring customers about the safety of the water supply and the alarmist headlines are related to the hackers claiming to have gained access to all of the company’s systems, including SCADA (supervisory control and data acquisition) systems that, according to the cybercriminals, “control chemicals in water”.

“It would be easy to change chemical composition for their water but it is important to note we are not interested in causing harm to people,” the cybercriminals said.

Two of the screenshots they published do show human-machine interface (HMI) systems that could potentially allow someone to tamper with industrial control systems (ICS), but some HMIs are only used for monitoring purposes. One of the screenshots shows HMIs that seem to relate to wastewater treatment.

Water SCADA hacked in ransomware attack

Ilan Barda, CEO of OT cybersecurity firm Radiflow, has confirmed for SecurityWeek that the screenshots are from a real HMI system and that they can be used to control the chemicals in the water purification process.

“However, such chemical processes are non-linear – minor changes can quickly drift the desired pH level out of safety ranges. So to maintain a usable pH level, it is required to have a real-time managed control loop which is done in the PLC level. As such configuration changes via the HMI will be detected and alerted at the PLC level and are unlikely to cause damage to the output water supply,” Barda explained.

“Note however that when an attacker gains access to such an internal OT computer they can also install a hidden malware that will further spread in the internal OT network and might eventually reach assets in which it can cause real damage,” he added. “So even though the site might remain operational it is highly recommended to perform an in-depth cyber inspection of all the assets for such additional dormant malwares.”

The cybercriminals claim to have stolen more than 5 Tb of information after spending months in the company’s networks. They also claim that files have not been encrypted — as in many other attacks — and that the victim did offer to pay a ransom, but the amount was too low.

Hundreds of companies have been targeted by the Cl0p ransomware and NCC Group reported recently that many of its victims are in the industrial sector. Several people accused of having some type of role in the Cl0p operation have been arrested, but that does not appear to have had a big impact.

It’s not uncommon for threat actors to target companies in the water sector, and ransomware groups have been known to access SCADA systems in these organizations. While in some cases the attackers might not know too much about how the compromised ICS works, there are some threat actors that know exactly what they are doing.

*updated with information from Ilan Barda

Related: US Says National Water Supply ‘Absolutely’ Vulnerable to Hackers

Related: Kansas Man Admits Hacking Public Water Facility

Related: Probe Into Florida Water Plant Hack Led to Discovery of Watering Hole Attack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...