Ransomware Gang Accessed Water Supplier’s Control System

Earlier this month, the notorious ransomware gang Cl0p announced it had hacked into a water supplier and claimed to have accessed the company’s internal network responsible for controlling industrial control systems, potentially giving them the ability to mess with the water flow. 

As proof, the hackers dumped the company’s internal data, which included screenshots that appeared to show interfaces used to control the water supply.

Now, security researchers who specialize in industrial control systems cybersecurity (ICS) and who have analyzed the data published by Cl0p think the gang could potentially have interfered with the systems of South Staff Water (SSW), a UK water supply provider. 

“They appear to have had sufficient access in the environment to conduct further operations in the environment, if desired,” Mark Plemmons, senior director of threat intelligence at the ICS cybersecurity company Dragos, told Motherboard in an email. 

“Two separate images serve as evidence of Cl0p’s claim of access to SSW’s operational technology (OT) and appear to be genuine screenshots of an Opus SCADA Master station Human Machine Interface (HMI) taken two days after the start of Cl0p’s data exfiltration,” Plemmons added.

SCADA, or Supervisory Control and Data Acquisition, is a system that comprises graphical interfaces to control and monitor machines and processes in an industrial environment. 

The hackers who are part of Cl0p said that “yes, there was access, but we made only screenshots.”

“We do not harm people and treat critical infrastructure with respect,” the hackers wrote in an email to Motherboard. “We didn’t really go into it because we didn’t want to harm anyone.”

South Staffs Water did not respond to a request for comment. In a statement published after the incident became public, the company said that “This incident has not affected our ability to supply safe water and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers.”

Danielle Jablanski, another ICS cybersecurity researcher, noted that just because the hackers saw those interfaces, it doesn’t necessarily mean they were able to control them, and that there’s no evidence that proves that. 

“The HMI screen grab indicated they were likely able to move from a corporate network into an operational technology network, but the ability to make changes and pass commands is different than potentially accessing a monitoring or remote viewer capability,” Jablanski, who works as an OT cybersecurity strategist at Nozomi Networks, told Motherboard. “They could have established that command and control capability, but the available screenshots do not confirm that explicitly.”

“There also would typically be user-specific privileges. The screen grabs show a mimic of the processes, but not who is logged into the control panel or whether the machine/access where the screen grab was taken has ability to make changes to the process control systems,” she added. 

Mimics are a graphical interface that displays plant information, according to the maker of the software shown in Cl0p’s screenshots.

It’s unclear if the hackers realized what they got access to. When they publicized the hack, in an embarrassing blunder, Cl0p said it had hacked a completely different water supplier, Thames Water. 

Patrick Miller, the CEO of cybersecurity firm Ampere Industrial Security, agreed with Jablanski that “the screenshots are of a mimic, which can be read-only, but in some cases can also have control capability.”

“Based on preliminary analysis, it's still a big deal from an access perspective,” Miller told Motherboard in an online chat, adding that it’s possible the interface shown in the screenshots was “for visibility and possibly some control.”

“Definitely not a good situation, but couldn't determine if the actual water SCADA was accessed or not,” Miller said. “Unless someone has taken the time to go through the full download of many TB of data to find legit SCADA access, it's just speculation - and most of what we have found so far is mimics and data ABOUT the SCADA not proof of actual SCADA access.”

Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.