Priya PatelTLDR:
In a suspected cyber warfare attack on Western water companies, Veolia North America experienced a ransomware attack, while UK’s Southern Water suffered a data breach. Although the ransomware attacks did not impact water treatment operations, personal information was accessed and leaked in both incidents. The French parent company Veolia operates about 8,500 water facilities globally, while Southern Water is cooperating with the National Cyber Security Centre (NCSC) and promised to notify affected individuals. These attacks highlight the vulnerability of critical infrastructure and the need for better cybersecurity measures.
As part of an ongoing cyber warfare on Western water companies, Veolia North America has experienced a ransomware attack coinciding with a suspected Black Basta data breach on Southern Water company in the UK. Although the attackers did not access industrial control systems (ICS) responsible for water and wastewater treatment operations, they managed to access personal information in both attacks.
On January 19, 2024, Veolia North America said some systems in the Municipal Water division were hit by ransomware, forcing it to pull some backend systems and servers offline. As a result, some customers experienced delays when using online bill payment systems, causing panic about possible disconnection and fines. However, the company quickly restored the affected systems and reassured its customers they would not be penalized for late payments or charged interest on their bills due to service interruption. Although the ransomware attack did not affect water or wastewater treatment operations, it leaked the personal information of “a limited number of individuals.” Veolia North America has promised to notify and support impacted individuals. It has also launched an investigation with third parties cyber forensics and law enforcement to determine the scope of the incident. The American water and wastewater company has not identified the threat actor, and no group has claimed credit for the ransomware attack.
The Black Basta ransomware group allegedly stole 750 GB of files, including corporate documents and personal information records, from Southern Water in the United Kingdom. The gang threatened to publish the stolen documents unless Southern Water paid a ransom in five days. On January 23, 2024, Southern Water said it was “aware of a claim by cyber criminals” that data was stolen from its systems. The company also disclosed it had “previously detected suspicious activity” on its systems and launched an investigation. However, the Southern Water cyber incident did not disrupt “customer relationships or financial systems” or affect water and wastewater treatment operations. Since the attack, a “limited amount of data” was published, with screenshots shared by the cybergang suggesting that identity documents collected by the company were compromised during the apparent ransomware attack. Meanwhile, Southern Water has notified the Information Commissioner’s Office (ICO) and was cooperating with the National Cyber Security Centre (NCSC) during the ongoing investigation. The British water company also promised to notify individuals impacted by the data breach.
Several Western water companies have been targeted in ransomware attacks by politically- and financially-motivated cyber gangs. The recent cyber attacks on water companies serve as “a stark reminder that we need to do a better job protecting infrastructure that is critical to the everyday lives of regular people,” said Geoffrey Mattson, CEO of Xage Security. “From foreign adversaries to financially-motivated ransomware gangs, cyber attackers have learned that critical infrastructure is vulnerable due to the use of legacy operational systems that don’t have sufficient native cybersecurity capabilities, and they’re taking full advantage.”
Cyber attacks on water companies have raised eyebrows in Washington, D.C., prompting the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to publish the Cyber Incident Response Guide for the Water and Wastewater Sector (WWS) operators. The document aims to assist water companies in preparing for, responding to, and mitigating the impacts of cyber incidents in cooperation with federal authorities. CISA warned that attacks on water companies could have “cascading impacts” on other critical infrastructure sectors, causing widespread effects.
