UK utility Southern Water, which serves customers in East Sussex, Hampshire, the Isle of Wight, Kent and West Sussex, has confirmed it is probing a major cyber incident after the Black Basta ransomware syndicate claimed to have accessed its systems.
The Black Basta crew posted limited details of its supposed intrusion on its Tor leak site on 22 January. Computer Weekly understands it has given its victim until 29 January to respond.
In a statement posted online, a Southern Water spokesperson said: “We are aware of a claim by cyber criminals that data has been stolen from some of our IT systems.
“We had previously detected suspicious activity, and had launched an investigation, led by independent cyber security specialists,” they said. “Since then, a limited amount of data has been published. However, at this point, there is no evidence that our customer relationships or financial systems have been affected. Our services are not impacted and are operating normally.”
The spokesperson added: “We have informed the government, our regulators and the Information Commissioner’s Office; and we are closely following the advice of the National Cyber Security Centre (NCSC) as our investigation continues.
“If, through the investigation, we establish that customers’ or employees’ data has been stolen, we will ensure they are notified, in accordance with our obligations.”
At this stage, little is known about how the intrusion began, or the extent of the resulting data breach, although information is circulating online that suggests the gang has made off with about 750GB of data, including some customer information. Some of the stolen data offered up as proof by the gang also supposedly names Southern Water’s parent organisation, Greensands, suggesting a wider breach may be unfolding. Southern Water has not verified or commented on any of these claims.
Fortunately for Southern Water’s customers, the attack does not appear to have resulted in such disruption to the organisation’s IT systems that its service provision has been affected – a small mercy given it’s still dealing with the consequences of two recent winter storms to hit southern England.
“Although Southern Water is aware of and investigating the breach, by the time an attack is detected, it’s often too late,” said Trevor Dearing, Illumio director of critical infrastructure. “Attackers are spending more and more time in organisations’ networks to build a picture before launching an attack, so organisations must assume the bad guys are already in and make it harder for them to move across resources and environments.
“On this occasion, it seems like the goal was data exfiltration rather than causing maximum disruption,” he said. “While this is undoubtedly concerning for customers, the outcome could have been much worse. For example, the attack in Florida where the chemical content in the water was adjusted, or the attack last month in Ireland which caused water outages for hundreds of households. Attackers will do whatever they can to get the quickest payout, so operators must prioritise security strategies like zero-trust that can reduce the risk and impact of attacks.”
WithSecure cyber threat intelligence head Tim West added: “The primary focus when securing the water sector is operational resilience, ensuring that the water supplies that millions of people rely on are safe and reliable. While there have been hacktivist attacks on the water sector in recent months, many financially motivated actors have intentionally avoided interfering with critical national infrastructure such as water supplies, so as not to draw too much attention from law enforcement.
“However, water companies also hold huge amounts of PII which not only has value on the dark web, but is excellent leverage for cyber attackers when demanding a ransom,” he said.
“The water industry is becoming a regular target for ransomware actors, with both the US CISA and UK NCSC warning about the threat. Therefore, it’s essential organisations invest in applying security best practice wherever possible to protect their services and their customers.”
Who are Black Basta?
Black Basta was behind the 2023 attack on Capita, the consequences of which are still being felt, and has netted over $100m in ransoms during its lifetime, according to a late-2023 report from cyber insurers Corvus.
The report, produced jointly with blockchain analytics specialist Elliptic, explored how gangs such as Black Basta use complicated networks of crypto wallets to launder their ill-gotten gains, and revealed the gang has hit over 300 organisations since it emerged, of which about 35% have paid ransoms of up to $9m, with the average pay-off being about $1.2m.
The report also firmed up previously speculative links between Black Basta and Conti, which shut down amid internet drama after an apparent internal schism over Russia’s attack on Ukraine.
“Black Basta are what is known as a multi-point of extortion ransomware group, and their typical modus operandi is to break into a network, steal sensitive information, then encrypt as many files on the network as possible,” said WithSecure’s West.
“They then demand a ransom in order to unencrypt the files, with the additional threat that they will publicly leak or sell the stolen data if the ransom is not paid by their deadline.”
Although a smaller group by some standards, West said their profitability – as highlighted by Corvus and Elliptic – showed how effective ransomware can be when victims pay up, which as is constantly being reinforced, runs contrary to all accepted advice on the matter.
Read more about security for utilities and CNI
- A lack of ransomware planning and preparedness at the highest levels of government is leaving UK operators of critical national infrastructure dangerously exposed, according to a Joint Committee report.
- When it comes to addressing the trust deficit in CNI, technological advancements, evolving threats, inadequate regulations, insufficient investment, public awareness, and international cooperation are all critical components that need attention.
- New Mandiant intelligence reveals how the APT known as Sandworm has been evolving its playbook, twisting legitimate executables known as LoLBins into malicious tools as it seeks to disrupt daily life in Ukraine.