[Security Weekly] UK Water Supplier Hit by Clop Ransomware in Mistargeted Attack

water supplier thumbnail

August 2022, Issue II


1. UK water supplier hit by Clop ransomware in mistargeted attack

South Staffs Water (SSW), a UK water supply company that serves drinking water to 1.6 million residents in England, suffered an attack by the Clop ransomware gang, who mistakenly identified its target to be another water supplier – Thames Water.

Right after the Clop ransomware gang wrongfully claimed to have breached Thames Water – which is the largest water supplier in the UK – Thames Water immediately debunked the claim. At the same time, SSW discovered that its systems have been targeted by a cyberattack.

On its leak site, Clop claimed to have remained in the company’s system for months and obtained access to the SCADA systems, which control water chemical levels. However, due to “ethical” reasons, it did not encrypt the system and only exfiltrated 5 TB of data for ransom extortion. SSW also confirmed that its ability to supply safe drinking water was not impacted. 

The Clop ransomware gang later published a sample of the stolen data, which included copies of employee passports and driver’s licences, as well as screenshots of the SCADA systems. The email addresses and screenshots clearly indicate that the victim is SSW instead of Thames Water, which makes it unreasonable how Clop could have misidentified its target. Nonetheless, the victim information on the leak site was later changed from Thames Water to SSW.

Sources: ZDNet, Threatpost, Computer Weekly


2. UK National Health Service suffers cyberattack, emergency services disrupted

Advanced, a managed service provider (MSP) of UK’s National Health Service (NHS), suffered a cyberattack that disrupted the NHS 111 emergency service, impacting patient referrals, appointment bookings, emergency prescriptions, and a wide range of medical-related operations.

In the UK, while 999 provides EMS dispatch for life-threatening emergencies, NHS 111 provides medical advice and out-of-hour patient referrals for non-life-threatening emergencies, offered through both phone calls and online.

Advanced stated that it first detected the attack on August 4, after which its clinical patient management software Adastra was paralyzed. Adastra is used to manage 85% of all NHS 111 services. Other services provided by the firm were also impacted, including its electronic patient record software, care management software, and even public sector financial management software.

Advanced is now working with forensic experts to recover its systems, but says that it might take at least three to four weeks to fully restore its services. Evidence suggests that ransomware was likely deployed.

Sources: Infosecurity, The Guardian, BBC


3. Twilio suffers data breach from social engineering attack against employees

Twilio, a San Francisco-based customer engagement platform powered by cloud APIs, suffered a data breach as a result of a series of sophisticated SMS phishing attacks against its employees.

Both current and former employees received text messages from the “IT department”, notifying them that their password expired or that their meeting schedule was changed, prompting them to click on a URL that took them to a fake Twilio login page controlled by the attackers. Given that the attackers were able to address the employees by their name in the message, many fell victim to the attack.

The attackers then used these stolen credentials to log in to Twilio’s internal systems that contained customer data. The information of 125 customers was confirmed to be breached. Additionally, the attack also impacted telecommunications provider Signal, which uses Twilio’s phone number verification service. During the intrusion, the attackers were able to see the phone numbers of 1,900 Signal users who used Twilio’s SMS verification service to register their devices. This leak could potentially enable the attackers to register these Signal users’ phone numbers on their own devices.

Cloudflare also suffered a similar attack, resulting in the compromise of some employee login credentials. But these leaked credentials were not enough for the attackers to access its internal systems as they are protected by two-factor authentication (2FA).

Although social engineering attacks are becoming increasingly sophisticated and difficult to distinguish, data breaches like this can be effectively avoided with a robust multi-factor authentication (MFA) system like iSIGN+. Learn more about iSIGN+ here.

Sources: Bleeping Computer, TechCrunch, CPO Magazine


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security