From NHS to water supplier: Are nation-state hackers targeting critical infrastructures in the UK?

Two weeks after major IT provider NHS was hit by a major ransomware attack, another ransomware attack impacted a UK water supplier.
18 August 2022

From NHS to water supplier: Are nation-state hackers targeting critical infrastructures in the UK? (Photo by Paul ELLIS / AFP)

  • A Russia-linked ransomware gang known as Cl0p took credit for the attack on South Staffordshire PLC, among the most critical infrastructures in the UK.
  • Just two weeks before, managed service provider (MSP) Advanced confirmed that a ransomware attack on its systems disrupted emergency services (111) from the UK’s National Health Service (NHS).

Attacks targeting critical infrastructures are nothing new — adversaries have always sought to use them as leverage against their opponents. Nowadays though, the convergence of the physical and digital worlds makes the consequences of attacks harder to predict and, potentially, more damaging. Imagine a company that supplies water to millions of people is hit by a cyberattack? Well, that just happened to South Staffordshire PLC in the UK, the parent company of South Staffs Water and Cambridge Water.

Earlier this week, South Staffordshire PLC said it was experiencing disruption to its corporate computer network as a result of the incident, but that its ability to supply clean water hadn’t been affected. For context, the water supplier provides more than 1.5 million people with drinking water in areas surrounding Cambridge, the West Midlands, South Staffordshire, South Derbyshire, North Warwickshire and North Worcestershire, according to the company’s website.

A Russia-linked ransomware gang known as Cl0p took credit for the attack. In a twist of events though, the company that Clop had intended to attack was Thames Water, a much larger water company that supplies water to 15 million customers in Greater London and other areas on the river that runs through the city.

In a statement on a site it maintains on the dark web, Cl0p claimed it stole a large trove of data from the company and had gained access to systems that control the level of chemicals in the water. “If you are shocked, it is good,” the group stated, as reported by Bloomberg. The hackers even published screenshots appearing to show that they had gained access to a control system for a water treatment works known as Seedy Mill. 

The facility is located outside the city of Lichfield and processes drinking water from boreholes and a nearby reservoir, treating as much as 120 million liters (32 million gallons) of water daily and serving a population of 200,000 people, according to a video published in 2017 by South Staffs Water. In a statement following the attack, South Staffs Water credited “robust systems and controls over water supply and quality” in addition to “quick work of our teams” for keeping drinking water safe. 

Further inspection of stolen data dumped from the attack on the Clop site appears to confirm that it doesn’t involve any attack to Thames Water, as it includes a spreadsheet of usernames and passwords featuring South Staffs Water and South Staffordshire email addresses, according to Bleepingcomputer. The breached data, published online after ransom negotiations between Clop and its victim broke down, also includes passports, screenshots from water-treatment SCADA systems, drivers’ licenses and more.

Coincidentally, two weeks earlier, on August 4, a ransomware attack on a software supplier hit the UK’s National Health Service (NHS). Advanced, the company which develops software for several parts of the healthcare industry, was the target. Services including patient referrals, ambulance dispatch, after-hours appointment scheduling, mental health services, and emergency medications were all apparently impacted.

“As you know, Advanced recently experienced a disruption to our systems that we have since determined to be the result of a cybersecurity incident caused by ransomware. On August 4, 2022, at approximately 7 am, our teams identified the cybersecurity incident. In response, we immediately took action to mitigate any further risk and isolated all of our Health and Care environments, where the incident was detected,” the company said

No bad actors have claimed responsibility for the attack, so it could either be a criminal gang or even state organization, experts believe. As it is, cyber incidents, be it on critical infrastructures or otherwise, have been surging worldwide. Last year alone, ransomware attacks increased by 1,885% against governments worldwide. On top of that, the healthcare industry faced a 755% increase last year. To top it off, the unprecedented ransomware attack against Colonial Pipeline last year shows that critical infrastructures have made little progress in being protected by their respective parties.