A company that supplies water to more than 1.5 million people in the UK disclosed it was hit by a cyberattack in an incident security experts said highlighted potentially dangerous vulnerabilities in the country’s critical infrastructure. South Staffordshire Plc said this week that it was experiencing disruption to its corporate computer network as a result of the incident but that its ability to supply clean water hadn’t been affected. A Russia-linked ransomware gang known as Cl0p took credit for the attack, after initially misidentifying its victim as Thames Water, a much larger water company that supplies London and surrounding areas. In a statement on a site it maintains on the dark web, Cl0p claimed it stole a large trove of data from the company and had gained access to systems that control the level of chemicals in water. “If you are shocked it is good,” the group stated. South Staffordshire Plc is the parent company of South Staffs Water and Cambridge Water, which together supply more than 1.5 million people with drinking water in areas surrounding Cambridge, the West Midlands, South Staffordshire, South Derbyshire, North Warwickshire and North Worcestershire, according to the company’s website. The hackers published screen shots appearing to show that they had gained access to a control system for a water treatment works known as Seedy Mill. Chinese firm that accused NSA of hacking has global ambitions Cybersecurity experts said the breach was alarming but cautioned that it wasn’t clear how deeply the hackers had penetrated the system and whether there may have been controls in place that could have prevented unauthorised tampering with water supplies. In a statement, South Staffs Water credited “robust systems and controls over water supply and quality” in addition to “quick work of our teams” for keeping drinking water safe. A UK government spokesperson said: “Following extensive engagement with South Staffordshire Plc and the Drinking Water Inspectorate, we are reassured there are no impacts to the continued safe supply of drinking water, and the company is taking all necessary steps to investigate this incident”. Chris Kubecka, a cybersecurity expert with experience working with industrial control systems, reviewed screen shots published by the hackers and described the incident as “extremely concerning”. The hackers, she said, appeared to have accessed an interface that could be used to control ultraviolet settings, which are used to clean water and kill harmful bacteria that can cause illnesses if consumed. “If they understand the sequence of how to adjust the UV or rinse/wash process, the attackers could cause harm,” she said. “The disinfectant UV process is extremely important.” Danielle Jablanski, a cybersecurity strategist at Nozomi Networks, said the hackers may have had access only to a “remote viewer software” that could be used to look at certain control systems but not change settings. However, it wasn’t possible to determine whether that was the case from screen shots the hackers published, she said. It’s not the first time hackers have targeted water facilities. In February 2021, a hacker accessed water systems in Florida and tried to pump a chemical into the supply. The attempt was thwarted by a worker who detected the changes. The perpetrator in that case hasn’t been publicly identified. Control systems in water treatment plants are sometimes segmented from internet networks – or “air gapped” – and there are layers of protection built in to prevent unauthorised access and changes, according to Jablanski. Cl0p typically uses malicious software to encrypt files on computers, and then demands payment to unlock the files. The group said in its statement on Monday that it had chosen not to encrypt the water company’s computers because it claimed it didn’t attack critical infrastructure or health organisations. Russian REvil hacking group disappears from dark web after Biden warning But the group alleged it stole some five terabytes of data from the company’s computers and attempted to extort money in return for information about how to “fix” alleged security flaws. Attacking the water facility is “a big deal” that will likely provoke a strong response from the British government, according to a prominent security researcher known as “the Grugq”. The country’s authorities may not be able to arrest the hackers if they are located in Russia, which has a history of not cooperating with Western cybersecurity investigations. But British intelligence agencies could potentially carry out their own hacking operations and obtain Cl0p’s cryptocurrency holdings, he said.