Comedy of Errors: Ransomware Group Extorts Wrong VictimNot the First Time Ineptitude - or Blatant Lying - Invalidates Criminals' Claims
Today's top cybercrime bogeyman is arguably the ransomware-wielding hacker. But as details of ransomware operations get leaked or otherwise come to light, many ransomware practitioners look less like criminal masterminds and more like bit players in a comedy of errors.
The latest example features the Cl0p ransomware group, which has named Thames Water Utilities Ltd. as a victim and has been attempting to extort the public utility, which supplies water to 15 million customers in England.
Via its dedicated data leak site, reachable using the anonymizing Tor browser, Cl0p claims that it encrypted no systems at the victim. Likewise, it claims that it could have accessed the supervisory control and data acquisition systems used to run the organization's operational technology environment but chose to not do so.
"Cl0p is not political organization and we do not attack critical infrastructure or health organizations," the group claims. "We decide that we do not encrypt this company, but we show them that we have access to more of 5TB of data. Every system including SCADA and these system which control chemicals in water. If you are shocked it is good."
Just one problem: Cl0p named the wrong victim.
As Sky News first reported, the ransomware group's victim was in fact South Staffs Water and Cambridge Water, which supplies water to about 1.6 million individuals in England.
As providers of an essential service we take the security of our networks and systems very seriously and are focussed on protecting them, so that we can continue to provide you with the services and support you need from us. (2/2)— Thames Water (@thameswater) August 15, 2022
"Perhaps their sloppiness is the result of staffing challenges - not due to COVID, but … a half dozen of them are now languishing in the choky," says Brett Callow, a threat analyst at Emsisoft (see: Ukraine Arrests 6 Clop Ransomware Operation Suspects).
Via ineptitude or outright lying, this isn't the first time that a ransomware group has named the wrong victim or an organization that didn't fall victim at all. In June, for example, LockBit claimed to have hacked cybersecurity giant Mandiant. But experts have widely debunked the claim, and threat intelligence firm Kela said it was a cheap "trick to gain attention from the public" and inflate the group's cybercrime stature (see: Ransomware Groups Refine Shakedown and Monetization Models).
South Staffordshire Confirms Attack
South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water, has confirmed that it was the victim of this attack.
"As you'd expect our number one priority is to continue to maintain safe public water supplies," it says. "This incident has not affected our ability to supply safe water and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers."
It adds: "This is thanks to the robust systems and controls over water supply and quality we have in place at all times as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis."
Due to the attack, however, the company's "corporate IT network" remains down, although it says customer support staff "are operating as usual."
It's not clear if billing, service activation or other operations have been disrupted or for how long South Staffordshire PLC expects the recovery to take. It says it's working with authorities to investigate and remediate the incident.
Government authorities say both the Department for Environment, Food and Rural Affairs - aka Defra - as well as the National Cyber Security Center, which is the public-facing arm of intelligence and cybersecurity agency GCHQ, are assisting.
"Defra and NCSC are liaising closely with the company," a government spokesperson says. "Following extensive engagement with South Staffordshire PLC and the Drinking Water Inspectorate, we are reassured there are no impacts to the continued safe supply of drinking water, and the company is taking all necessary steps to investigate this incident."
Attackers Appeal to Victim's Customers
Belated, Cl0p updated its data-leak site with the message "an error has occurred" and listed South Staffs Water and Cambridge Water as the victim. But Cl0p's claims of hacking the Thames Valley IT network make whatever message it's peddling tough to take seriously.
"We spent months in the company system and saw first-hand evidence of very bad practice," Cl0p claims on its Tor-based leak site.
As proof that Cl0p had infiltrated the water supplier's network, the group also leaked a subset of stolen information, including copies of passports and driver's licenses, apparently supplied by customers to validate their identity.
To add pressure on victims to pay a ransom, many ransomware groups now appeal to a victim's customers, sometimes contacting them directly - or even making stolen customer data searchable on their data leak site.
Cl0p issues just such a - grammatically mangled - call to the water supplier's customers: "Hold your institution liable. Hold your people to higher standard. We are Cl0p. If you do wrong we find you and help you fix or make you fix. Decision is your."
While this incident stands as a comedy of errors made by the ransomware group, of course it's no laughing matter for the actual victim or its customers, including individuals whose passports and driver's license numbers have been exposed by the attackers' ham-fisted extortion attempt.
August 17, 2022: This story has been updated to include Cl0p's revised data-leak site messaging and comment from Emsisoft's Brett Callow.