Last week at the FL Public Power Cybersecurity Summit, I spoke about the South Staffs Water hack, sifting through the evidence to separate fact from fiction. This two-part blog (second part coming next week) will go through my findings for those who were unable to attend the conference in person.
Ransomware continues to be a cross-industry challenge for organizations worldwide. While not necessarily targeted at industrial control systems (ICS), numerous cases exist of “splash damage” where ransomware affects an organization with critical infrastructure.
In August of 2022, South Staffs Water in the United Kingdom was victim to such an attack by the Cl0p ransomware group and joined the list of ICS attack use cases. When the news hit, many in the community were quick to commentate… almost too quick. For this initial blog, let’s look at the breach, an overview of the data released, and the initial hot takes from media and industry.
Victim and Event Overview
South Staffs Water is a utility in central England serving approximately 500,000 homes and 35,000 commercial customers. South Staffs serves its 1.6 million customers with a number of assets, including reservoirs and water treatment facilities.
On August 15th, 2022, numerous online sources reported that the Cl0p gang had posted initial breach data to the “dark web,” with preview screenshots appearing mainly on Twitter. At first, Cl0p had claimed they breached another, larger company, “Thames Water,” causing some initial confusion which was later updated.
The initial breach data, specifically a spreadsheet of contact information, clearly indicated that South Staffs Water was the actual victim based on email domain information.
Amongst the preview images of passports and other personal information, there were two images of an HMI (human-machine interface) that caught folks’ attention. Preview data is often posted ahead of the full data dump as a means to prove access and allow the victim to pay the ransom to either unlock or prevent public disclosure of the information.
By Cl0p’s own admission above, they “decided” not to encrypt the data because of the nature of the company but were going forward with full disclosure. Here’s a basic timeline of events:
And thus begins our story of breach data, industry speculation, and the dangers of assumptions. Here’s how two images of an HMI turned into “Hackers accessed water SCADA” and the process of externally validating claims.
Breach Data Dump Overview
Initial claims from Cl0p were that 5TB of data was accessed. The preview data on August 15th showed mostly personal data related to HR (along with the previously mentioned two HMI screens), so analysts would have to wait for the full breach to really understand and make determinations (or would they?).
On August 22nd, Part 1 of the data dump was released on the dark web. (What is the dark web? https://www.csoonline.com/article/3249765/what-is-the-dark-web-how-to-access-it-and-what-youll-find.html)
Quick notes for those who have never accessed the dark web:
- The Onion Router (TOR) network is a free and open source communications network that directs internet traffic through a volunteer “overlay” network that provides access to nodes hosted on TOR (“dark web”) as well as anonymizing regular internet traffic through “exit nodes”
- TOR can be easily accessed via browsers, such as the official “TOR Browser” or others, such as Brave
- Due to its decentralized and volunteer nature, speeds tend to be very slow
In the weeks after August 22nd, Parts 2-7 were released — but this was well after the industry and media had made their determinations. Due to bullet #3, quick analysis (and commentary) of the breach data is nearly impossible, given the large amount of data and the time to download.
Here is a breakdown of the Part 1 data fully released on August 22nd:
What’s interesting here is that 99% of the data in part 1 is administrative, mostly related to HR and personnel directories.
There were only a few directories related to anything operational.
Example SCADA Data released in the Breach:
This trend eventually continued with Parts 2-7, which were released later. For the sake of brevity, here is an overview of the breach data parts, their size, and content.
South Staffs Water Hack – Initial Conclusions
There’s no question that the breach and resulting data dump were a catastrophic release of South Staffs Water company data. But initial fear, claims, and amplification by industry was that the water SCADA system had been breached, with Cl0p having full access to critical systems. This was first claimed by Cl0p themselves but then repeated online.
Once word hit Twitter, many news outlets picked up on the FUD (fear, uncertainty, doubt https://synsaber.com/5-tips-to-fight-fud-misinformation-and-disinformation/) and ran with this claim that the water SCADA was accessed. The dire potential of this supposed access was further expounded upon by commentary on current droughts in the UK and with US analysts making the leap to US water infrastructure and the Oldsmar attack.
Lost in all of this was communications from South Staffs Water itself claiming that “This incident has not affected our ability to supply safe water,” perhaps a cryptic message not explicitly confirming or denying the extent of the breach.
Take note that in the early hours of any breach, details are not necessarily known (but that doesn’t stop outside speculation, of course).
But the damage was done, so to speak. Numerous media reports were published, and the ICS security community had already made their decision: This was a full breach of not only IT but of their OT assets.
🌶️ A few initial hot takes:
SCADA system access and potential impacts
“From the screenshots, it appears that the attackers had comprehensive access to the SCADA master station responsible for multiple sites, including water distribution and treatment processes (UV, membrane filtration, etc.)”
Reviewing Evidence of a Cyber Attack
“It is my opinion that the CL0P truly did get a controlling foothold inside of South Staffs Water OPUS control system. However, in this case, the attackers considered themselves Hacktivists, wanting to highlight a weakness instead of causing them direct harm.”
So how did opinions on the breach come so quickly without the full evidence of data released? What is the process by which one could even determine an outcome one way or another?
Part 2 of our objective look at the South Staffs Water evidence will dive into methodologies on how to validate information for yourself, the benefits of demystifying these methods, and the conclusions we can draw from our own analysis.