South Staffordshire PLC, parent company of South Staffs Water, a small independent utility that supplies water to 1.6 million customers, including 35,000 businesses, in central England was hit by a cyber attack in mid-August. Shortly after the attack, on August 15th, 2022 South Staffs Water released a statement confirming the attack and stating that the water supply was not compromised and the incident, "has not affected our ability to supply safe water.”

The group taking responsibility for the attack is a ransomware gang named CL0P. They published the following statement on their Darknet site CL0P^_-LEAKS. (ed note - spelling and grammar errors are directly from CL0P)

“Thames Water supply much of critical water services to people and companies. This company is public and this mean not only they bring water and sewage services to millions of people they also allow many people and company to invest with their stock offering. Companies like this have much responsibility and we contact them and tell them that they have very bad holes in their systems. ALL SYSTEMS.

We spent months in the company system and saw first hand evidence of very bad practice. This company is all for money and not deliver reliable service. It is better to save one pound so management can make bonuses and stock price do well. They lost way when only concentration on finance.

Cl0p is not political organization and we do not attack critical infrastructure or health organizations. We decide that we do not encrypt this company, but we show them that we have access to more of 5TB of data. Every system including SCADA and these system which control chemicals in water. If you are shocked it is good.

We contact company and say we expect money to provide information on what and how and when so they can fix. They are not interested to fix. These people who are customers of this company, you need to think many time before you can use their service. Do not be afraid from us. We do nothing. But other group who will try are not will be as honest as we.

When negotiator for company come online we saw they only interest in buying time. They also start offering very low amount what show very simple that they are not putting right value on quality of service they provide. It would be easy to change chemical composition for their water but it is important to note we are not interested in causing harm to people. But if company choose not to pay they will just play game of media and publicity and we all know their word has no truth. Anything they do to save face but after behind close door nothing change.

So take this joke of price you offer and keep it for you bonuses. Client of this company change where you get you water, if we can break in so can other group and they will cause damage because are only honest true to word group in this business.

We invite media to contact us and we provide scoop to you about this company and some interesting facts about dishonest behaviour. Government contract who should not be and bad process to make water safe for drink. People unite and sue this company. If you are sick in past, and you a client, may be that company did this. Soon all information will all be publish to show this malpractice.

 Sell all stock before collapse.

Hold your institution liable. Hold your people to higher standard. We are Cl0p. If you do wrong we find you and help you fix or make you fix. Decision is your.’

The attackers later retracted the original statement, and reissued it with the name changed from Thames Water supply to South-Staffs-Water.

Reviewing Evidence of a Cyber Attack

Let’s delve into the materials posted after the attack and see what we can learn about Cl0P and their methods.

First, let’s look specifically at the screen shots of the OPUS Software PC6-SQL Master Station SCADA system, which is used by the facility. It’s clearly evident from the screen shot that this is the Seedy Mill Water Treatment Works near Lichfield, England. By examining available Open Source Intel we can further gather additional information about the facility.

There is a main and hot-standby OPUS PC6-SQL SCADA Master station with between six and eight local and remote graphic workstation users. Overall, Speedy Mills controls 152 stations and 11,800 measurement points. The Telemetry/SCADA system has been upgraded with 70 Remote Terminal Units (RTUs) that are running embedded PC technology that can act as a combined RTU, data filter, data logger and Human Machine Interface (HMI). Below is a screenshot taken from the ‘clients’ section of the OPUS software website.

Opus Software Details

This in itself doesn’t necessarily reveal a looming threat but it does shed light on the validity and viability of CL0P’s claims. However, there is additional evidence to review.

In one news article about the event, an industry researcher noted that the threat actors provided a “view only” mode with the following screenshots:

Screenshots posted by the South Staffs Hackers

Screenshots posted by South Staffs Hackers

 

These screenshots wouldn’t warrant a loss of control for the water treatment system. The above screenshots presented are taken from the OPUS Software’s Advanced Graphic Workstation. Here is the company’s definition of that piece of software.

Advanced Graphic Workstations

All Opus systems, including RTUs, can be upgraded to support practically any size of database and any number of workstation users. The full-graphic workstation user options are available to provide support for integrated HMI displays, remote HMI displays, and local or remote operator workstations. These user options supplement the unlicensed Local and Remote Admin time-limited non-mimic interfaces that are provided free of charge and used for system administration, configuration and fault diagnosis.

As you can see in the screenshots, the current active user is logged into the Advanced Graphic Workstation. From there, they could gain access to the manual controls for the Clean-In-Place (CIP) system. CIP is a process that enables the cleaning of interior surfaces of pipes, vessels, and other equipment without having to disassemble it first. The process introduces chemicals into the backwash process or allows access to Sodium Hypochlorite (aka bleach, NaOCl), a solution made from reacting chlorine and sodium hydroxide, and used as a disinfectant in the water treatment system, and for other very key processes inside the system.

Advanced Graphic Workstation screenshot

Furthermore to highlight the compromised systems, CLoP posted a list of credentials that were discovered inside the environment. It is notable that the same username and passwords are present multiple times, and that not practicing good cyber hygiene can lead to simple credential reuse attacks. The passwords have been redacted in the screenshot below.

Credentials posted by CL0P

It is my opinion that CL0P truly did get a controlling foothold inside of South Staffs Water OPUS control system. However, in this case, the attackers considered themselves Hacktivists, wanting to highlight a weakness instead of causing direct harm. Therefore, they chose not to take negative actions such as adding dangerous chemicals to the water supply, or shutting down the treatment plant altogether, that would impact the quality of water being consumed by millions of British citizens. Keep in mind that had they decided to, the attackers could have caused tremendous physical and financial damage, including loss of life.

Preventing The Next Attack

Introducing a network monitoring system such as SCADAfence into a water treatment facility can aid in the early detection of threat actors posing as authorized users who are attempting to connect to multiple systems outside normal operational and business hours. Furthermore a real-time network monitoring system with deep process intelligence would be able to determine if and when credential reuse was taking place and increasing the risk of the associated workstations.

To learn more about how the SCADAfence Platform can protect your OT network request a demo today.