As part of an ongoing cyber warfare on Western water companies, Veolia North America has experienced a ransomware attack coinciding with a suspected Black Basta data breach on Southern Water company in the UK.
Although the attackers did not access industrial control systems (ICS) responsible for water and wastewater treatment operations, they managed to access personal information in both attacks.
Veolia North America hit by ransomware attack
On January 19, 2024, Veolia North America said some systems in the Municipal Water division were hit by ransomware, forcing it to pull some backend systems and servers offline.
As a result, some customers experienced delays when using online bill payment systems, causing panic about possible disconnection and fines.
However, the company quickly restored the affected systems and reassured its customers they would not be penalized for late payments or charged interest on their bills due to service interruption.
Although the ransomware attack did not affect water or wastewater treatment operations, it leaked the personal information of “a limited number of individuals.”
Veolia North America has promised to notify and support impacted individuals. It has also launched an investigation with third parties cyber forensics and law enforcement to determine the scope of the incident.
The American water and wastewater company has not identified the threat actor, and no group has claimed credit for the ransomware attack.
Globally, the French parent company Veolia operates about 8,500 water facilities, providing drinking water to over 111 million people and employing 213,000 others, with an annual revenue of $46.42 billion (€42.9B).
UK’s Southern Water systems breached
The Black Basta ransomware group allegedly stole 750 GB of files, including corporate documents and personal information records, from Southern Water in the United Kingdom.
The gang threatened to publish the stolen documents unless Southern Water paid a ransom in five days.
On January 23, 2024, Southern Water said it was “aware of a claim by cyber criminals” that data was stolen from its systems. The company also disclosed it had “previously detected suspicious activity” on its systems and launched an investigation.
However, the Southern Water cyber incident did not disrupt “customer relationships or financial systems” or affect water and wastewater treatment operations.
Since the attack, a “limited amount of data” was published, with screenshots shared by the cybergang suggesting that identity documents collected by the company were compromised during the apparent ransomware attack.
Meanwhile, Southern Water has notified the Information Commissioner’s Office (ICO) and was cooperating with the National Cyber Security Centre (NCSC) during the ongoing investigation. The British water company also promised to notify individuals impacted by the data breach.
Western water companies are under attack
Several Western water companies have been targeted in ransomware attacks by politically- and financially-motivated cyber gangs.
The recent cyber attacks on water companies serve as “a stark reminder that we need to do a better job protecting infrastructure that is critical to the everyday lives of regular people,” said Geoffrey Mattson, CEO of Xage Security. “From foreign adversaries to financially-motivated ransomware gangs, cyber attackers have learned that critical infrastructure is vulnerable due to the use of legacy operational systems that don’t have sufficient native cybersecurity capabilities, and they’re taking full advantage.”
In December 2023, an Iranian government-affiliated cyber group, Cyber Av3ngers, shut down an Aliquippa Municipal Water Authority pump supplying Raccoon and Potter townships in Beaver County, Pennsylvania. The attack targeted Israeli-made Unitronics PLCs as part of a broader geopolitical campaign linked to the Middle East conflict between Israel and Palestine.
Similarly, an unauthorized individual attempted to poison water at a treatment plant serving the San Francisco Bay Area in California on January 15, 2021, using a former employee’s TeamViewer account.
A similar attack in Oldsmar, Florida, attempted to increase lye to dangerous levels and poison water consumers within the same period.
Another ransomware attack on Camrosa Water District in Camarillo, California, in August 2020 encrypted devices and leaked customers’ and employees’ personal information.
Cyber attacks on water companies have raised eyebrows in Washington, D.C., prompting the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to publish the Cyber Incident Response Guide for the Water and Wastewater Sector (WWS) operators.
The document aims to assist water companies in preparing for, responding to, and mitigating the impacts of cyber incidents in cooperation with federal authorities.
CISA warned that attacks on water companies could have “cascading impacts” on other critical infrastructure sectors, causing widespread effects.
“One week after the US government released guidance for the water and wastewater sector (WWS) to improve cyber resilience and incident response, Veolia, one of the world’s largest water operators, fell victim to a ransomware attack,” said Nick Tausek, Lead Security Automation Architect at Swimlane, adding that “the timing of this attack reiterates this vulnerability.”
In March 2023, the EPA published the minimum cybersecurity requirements for public water systems, which was later withdrawn after opposition from state attorneys general.
According to Tausek, the EPA guidelines “highlighted the need for a preventative security approach to be implemented to combat the vulnerability of this critical infrastructure sector.”
He reiterated the need for water companies to take “the necessary precautions to not only safeguard the sensitive information of customers but also the system operations and water safety.”