Ransomwater confusion, does the criminal know who the victim is?

When we say that attribution is always tricky, we are obviously only seeing the half of it. Apparently sometimes even the cybercriminals are not always clear on which company they breached.

Clop ransomware put out a statement that they breached Thames Water when in reality their victim was South Staffs Water. Fortunately nobody was deprived of water due to the incident.

Clop

Ransom.Clop was first seen in February of 2019. Besides encrypting systems, the Clop ransomware also exfiltrates data that will be published on a leak site if the victim refuses to pay the ransom. In February of 2021, ther group made headlines by targeting executives’ systems specifically to find sensitive data.

Hoax or not so much

After becoming aware of some reports, Thames Water made it clear that the whole thing was a hoax as far as they are concerned. It would be a hoax if there wasn’t a real victim of the attack.

On the website of South Staffs Water, we learned that South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water, had been the target of a criminal cyberattack. But the incident has not affected their ability to supply safe water. According to the statement, they are experiencing disruption to their corporate IT network and they have teams working to resolve this as quickly as possible. Their customer service teams are operating as usual.

The breach

On their leak site, Clop claims to have spent months inside the company system and noticed many very bad practices. They also said they had contacted the company with information on how to fix the problem. But they never responded. So, after spending months, you contacted the wrong company and they never gave you the time of day? How quaint.

Clop's claims

On their leak site Clop touts their accomplishments and rants about the victim company

Vital infrastructure

While we can joke about the mistaken identity and the following confusion in the media, the incident proves two points. Ransomware gangs do not shy away from attacking vital infrastructure, but you should also know that much of this infrastructure is robust enough to withstand such an attack. 

Clop claims they have not encrypted any files and that they could potentially change the chemical composition of the water, but all they did was exfiltrate 5 TB of data. As we learned from the Malwarebytes podcast with Lesley Carhart the chances of a critical infrastructure “big one” are remarkably slim. In fact, critical infrastructure’s regular disaster planning often leads to practices that can detect, limit, or prevent any wide-reaching cyberattack.

In other words, there are fail-safes in place that should reliably prevent any “chemically altered” water from ever reaching our homes, no matter whether you are a customer of Thames Water or South Staffs Water.

Clop corrects

At this moment, the Clop leak site displays “South-Staffs-water.co.uk,” not Thames Water, so they must have realized their mistake.

Leak site header (partial)

The exfiltrated data contain copies of passports and drivers licenses, a lot of schematics, email addresses, and a list of VM servers combined with login credentials. Certainly not 5TB worth of data, but probably an incentive to get the victim to pay the ransom.

Getting the victim wrong might be a case of miscommunication between the affiliate that compromised the victim and the ransomware operator combined with the poor grasp of English on one or both sides of the operation. Remember that ransomware groups now typically offer their ransomware as a service to other groups that have already infiltrated companies and organizations. By offering these cybercriminal breach teams access to their ransomware, the ransomware developers then get their ransomware into more targets than they could have by themselves, and they take a “cut” of whatever ransom gets paid. 

Importantly, though, misidentifying the victim and starting negotiations about the ransom with the wrong organization could leave the real victim clueless about what happened to them, or more to the point, who is responsible. Luckily it didn’t take too long in this case.

https://blog.malwarebytes.com/feed/