A company that supplies water to more than 1.5 million people in the UK disclosed it was hit by a cyber attack in an incident security experts said highlighted potentially dangerous vulnerabilities in the country’s critical infrastructure.

South Staffordshire Plc said on Monday that it was experiencing disruption to its corporate computer network as a result of the incident but that its ability to supply clean water hadn’t been affected.

A Russia-linked ransomware gang known as Cl0p took credit for the attack, after initially misidentifying its victim as Thames Water, a much larger water company that supplies London and surrounding areas.

In a statement on a site it maintains on the dark web, Cl0p claimed it stole a large trove of data from the company and had gained access to systems that control the level of chemicals in water. “If you are shocked it is good,” the group stated.

South Staffordshire Plc is the parent company of South Staffs Water and Cambridge Water, which together supply more than 1.5 million people with drinking water in areas surrounding Cambridge, the West Midlands, South Staffordshire, South Derbyshire, North Warwickshire and North Worcestershire, according to the company’s website.

The hackers published screen shots appearing to show that they had gained access to a control system for a water treatment works known as Seedy Mill. The facility is located outside the city of Lichfield and processes drinking water from boreholes and a nearby reservoir, treating as much as 120 million liters (32 million gallons) of water daily and serving a population of 200,000 people, according to a video published in 2017 by South Staffs Water.

Cybersecurity experts said the breach was alarming but cautioned that it wasn’t clear how deeply the hackers had penetrated the system and whether there may have been controls in place that could have prevented unauthorized tampering with water supplies.

In a statement, South Staffs Water credited “robust systems and controls over water supply and quality” in addition to “quick work of our teams” for keeping drinking water safe. The company didn’t respond to requests for comment on the hackers’ claims.

A UK government spokesperson said the National Cyber Security Centre and Department for Environment, Food & Rural Affairs were liaising closely with South Staffordshire Plc in response to the breach.

“Following extensive engagement with South Staffordshire Plc and the Drinking Water Inspectorate, we are reassured there are no impacts to the continued safe supply of drinking water, and the company is taking all necessary steps to investigate this incident,” the spokesperson said.

Chris Kubecka, a cybersecurity expert with experience working with industrial control systems, reviewed screen shots published by the hackers and described the incident as “extremely concerning.”

The hackers, she said, appeared to have accessed an interface that could be used to control ultraviolet settings, which are used to clean water and kill harmful bacteria that can cause illnesses if consumed.

“If they understand the sequence of how to adjust the UV or rinse/wash process, the attackers could cause harm,” she said. “The disinfectant UV process is extremely important.”

Danielle Jablanski, a cybersecurity strategist at Nozomi Networks, said the hackers may have had access only to a “remote viewer software” that could be used to look at certain control systems but not change settings. However, it wasn’t possible to determine whether that was the case from screen shots the hackers published, she said.

It’s not the first time hackers have targeted water facilities. In February 2021, a hacker accessed water systems in Florida and tried to pump a chemical into the supply. The attempt was thwarted by a worker who detected the changes. The perpetrator in that case hasn’t been publicly identified.

Control systems in water treatment plants are sometimes segmented from Internet networks—or “air gapped”—and there are layers of protection built in to prevent unauthorized access and changes, according to Jablanski. But systems thought to be walled off from the Internet aren’t always completely inaccessible from outside networks, meaning they can potentially be vulnerable to attack. “We would like to think that they are air gapped, but there are always cases where that is not true,” Jablanski said.

In November, an international law enforcement investigation of the Cl0p gang led to a series of police raids in Ukraine. Officers arrested six people after raiding 20 properties, where they seized $185,000 in cash assets, according to Interpol. After a short hiatus following the law enforcement action, the group returned in May and began again targeting dozens of companies with its attacks.

“The fact that the group survived that scrutiny and is still active indicates that the main members were not caught in those raids,” wrote Lior Div, chief executive officer of the cybersecurity firm Cybereason Inc. in an article published in December. “They are most likely based in Russia, which has a history of tacitly supporting cybercriminals with state-condoned and state-ignored attacks.”

Cl0p typically uses malicious software to encrypt files on computers and then demands payment to unlock the files. The group said in its statement on Monday that it had chosen not to encrypt the water company’s computers because it claimed it didn’t attack critical infrastructure or health organizations. But the group alleged it stole some five terabytes of data from the company’s computers and attempted to extort money in return for information about how to “fix” alleged security flaws.

Attacking the water facility is “a big deal” that will likely provoke a strong response from the British government, according to a prominent security researcher known as “the Grugq.” The country’s authorities may not be able to arrest the hackers if they are located in Russia, which has a history of not cooperating with Western cybersecurity investigations. But British intelligence agencies could potentially carry out their own hacking operations and obtain Cl0p’s cryptocurrency holdings, he said. “They could cost them money and disrupt the group. I think that would have some impact.”

Photograph: Green light illuminates the keyboard of a laptop computer as a man enters the data using the computer keyboard in this arranged photograph in London, UK, on Wednesday, Dec. 23, 2015. Photo credit: Chris Ratcliffe/Bloomberg