Critical Infrastructure Security , Fraud Management & Cybercrime , Ransomware
Ransomware on Tap as Major Water Providers Fall Victim
US and UK Water Giants Report Network Breaches and Data Leaks, But No EncryptionTwo major water supply systems in the United States and United Kingdom report that they recently fell victim to ransomware attacks. In both cases, attackers appear to have stolen employee or customer data that they're now holding to ransom. Neither organization has reported experiencing long-term outages as a result of files or folders being forcibly encrypted or being told to pay any ransom.
See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical
The attacks affected Boston-based Veolia North America, which serves about 550 communities, and England's Southern Water, which serves southeast four counties. Both companies said they're investigating and will notify individuals whose personal information was stolen.
All critical infrastructure sectors are under fire from ransomware attacks. A report released this week by British consultancy NCC Group says the count of publicly known ransomware attacks in 2023 reached 4,667, an 84% increase in the total number of known ransomware attacks in 2022. NCC Group said industrials, consumer goods, technology and healthcare are among the most common victims.
News of the attacks comes just days after the U.S. Cybersecurity and Infrastructure Security Agency published an incident response guide for the sector, together with the Environmental Protection Agency and FBI. "A compromise or failure of a water and wastewater sector organization could cause cascading impacts throughout the sector and other critical infrastructure sectors," the guidance warns.
The White House has been pushing multiple critical infrastructure sectors, including pipelines and railways, to review and improve their cybersecurity posture.
In March 2023, the EPA issued guidance setting minimum cybersecurity requirements for public water systems. After multiple state attorneys general fought the move in court, the EPA withdrew the initiative.
Veolia North America Confirms Hit
Veolia North America has 10,000 employees at more than 350 locations across the continental U.S. It runs water services for about 550 North American communities and provides industrial water services for approximately 100 industrial facilities, treating over 2.2 billion gallons of water and wastewater daily.
"Last week, a ransomware incident affected some software applications and systems in a portion of Veolia North America's Municipal Water division," the company said in a Friday statement. Veolia North America is owned by the publicly traded French transnational firm Veolia Environment, which supplies water and wastewater treatment, commercial and hazardous waste collection and disposal, and energy consulting.
Veolia North America said it had immediately brought in digital forensics investigators to probe the intrusion and to help buttress its cybersecurity defenses.
The company said the ransomware had affected "some software applications and systems in a portion of Veolia North America's Municipal Water division" and that it had temporarily taken them offline, pending system restoration. "As a result, some customers experienced delays when using our online bill payment systems," Veolia said.
Veolia said attackers had stolen some people's personal information that it was storing and said it will directly notify affected individuals.
No operational technology, including industrial control system environments, appears to have been affected. "This incident seems to have been confined to our internal back-end systems at Veolia North America, and there is no evidence to suggest it affected our water or wastewater treatment operations."
One of the first public signs of the attack and investigation surfaced two weeks ago, via the town of Hingham, Massachusetts, which runs the Weir River Water System for residents and businesses in the area. Hingham on Jan. 11 alerted its customers to the ransomware attack against Veolia North America, which is its third-party water management company.
"As a precautionary measure, Veolia has taken some of its internal systems offline for repair," the town told customers. "During this repair period, the Weir River Water System has temporarily suspended the link on its website to the Veolia billing system."
Veolia said all systems it had taken offline immediately following the attack "are working normally again" and that billing systems have been updated to reflect all payments made. "Customers will not be penalized for late payments or charged interest on their bills due to this service interruption," the company said.
Southern Water Confirms Attack
Separately, England's Southern Water this week said a ransomware group had infiltrated its network but that it appears no data was encrypted and no critical operations disrupted. The privately owned utility said it is still ascertaining to what extent customer or employee data may have been stolen, and it promised to notify all data breach victims, as required by Britain's General Data Protection Regulation.
"We are aware of a claim by cybercriminals that data has been stolen from some of our IT systems," Southern Water said in a Tuesday statement.
"We had previously detected suspicious activity, and had launched an investigation, led by independent cybersecurity specialists," it said. "Since then, a limited amount of data has been published. However at this point there is no evidence that our customer relationships or financial systems have been affected. Our services are not impacted and are operating normally."
Southern Water's attack confirmation followed the Black Basta ransomware group claiming to have successfully attacked the utility, which provides water services to 2.5 million customers and wastewater services to over 4.7 million customers across the southeast of England, including for Sussex, Kent, Hampshire and the Isle of Wight.
Black Basta on its dark web data leak site claimed to have stolen 750 gigabytes of data from Southern Water, including corporate documents and users' personal documents and folders. The group published a sample of what it claimed were images of the utility's network file shares, as well as the personal information page of passports and other identity documents collected by the organization from employees.
Security experts say the Russian-speaking Black Basta ransomware-as-a-service group, which first appeared in early 2022, appears to be a spinoff of the notorious Conti group and regularly practices double extortion, meaning it attempts to both extort victims for a decryptor and promise to delete stolen data (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).
The U.S. Department of Health and Human Services in March 2023 warned that in less than a year, the group had perpetrated "massive breaches in critical infrastructure across multiple countries," and had appeared to carefully focus on larger targets.
"Rather than rely on comprehensive spray-and-prey tactics, the elusive group takes various precautions and relies on a more targeted approach, calculatingly assessing its victims before compromise," HHS said. "The group either excludes affiliates or only collaborates with a limited and trusted set of affiliates."