Ransomware disrupts utilities, infrastructure in January

Ransomware disrupted important U.S.-based utilities and services organizations in January, including a municipal water treatment organization, which is a sector that's become a growing target for attackers.

The persistent ransomware threat continued last month following what many cybersecurity vendors and threat reports called a record year for ransomware in 2023. New victims emerged last month, but many of the targeted sectors and industries remained consistent from last year.

Throughout January, ransomware impeded operations for victims in the government and critical infrastructure sectors, including water and wastewater treatment services. Last month, CISA published an incident response guide for water utilities warning that attacks "could cause cascading impacts across critical infrastructure." The guide also confirmed that the sector has already been hit by ransomware in recent years.

On Jan. 19, Boston-based Veolia North America disclosed that ransomware had hit its municipal water division the previous week, affecting "some software applications and systems." In response to the attack, Veolia took its internal back-end systems offline, which disrupted customer access to the billing system. The water utilities company operates in 550 communities across North America.

As of Jan. 19, Veolia said there was "no evidence" that the attack affected its water or wastewater treatment operations. However, the company said the personal information of a "limited number of individuals" was stolen. An investigation into the attack remains ongoing, and the incident forced Veolia to reexamine its cybersecurity posture.

"We are partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident and to examine additional measures we can take to help prevent incidents of this kind in the future. We are putting our full resources behind these efforts," Veolia wrote in the statement.

There were more public sector utilities and services disrupted last month. A ransomware attack on Jan. 21 against Bucks County in Pennsylvania temporarily disrupted the county's emergency communications database. The Akira ransomware group claimed responsibility for the attack, which rendered Bucks County's computer-aided dispatch (CAD) system inoperable for nine days. Law enforcement agencies, the fire department and ambulance services use the tool to record incident data, but the attack forced them to revert to pen and paper. Around 650,000 residents live in Bucks County and were able to make 911 calls despite the attack, but fallout was still substantial.

On Feb. 7, the Bucks County Board of Commissioners approved contracts with cybersecurity forensic and legal firms and issued a Declaration of Disaster Emergency to help with restoration efforts. While CAD is now functional, the Board of Commissioners said the system requires additional rebuilding.

"The County did not engage in negotiations with those claiming responsibility for the attack, nor did it pay any ransom to restore functionality to its systems. Rather, the County's IT and Emergency Communications departments' meticulous cyber maintenance and backup practices were key to the system's quick restoration," Bucks County wrote in the statement.

The Medusa ransomware group, which was highly active throughout 2023, claimed responsibility for an attack against the Kansas City Area Transportation Authority (KCATA) that occurred on Jan. 23. KCATA disclosed the attack on Jan. 24 and confirmed that it disrupted the regional RideKC call centers and landline service. However, transportation services remained operational. Customers looking to schedule a trip were redirected to new phone numbers while KCATA worked "around the clock" to restore systems. KCATA engaged the FBI and security professionals following the ransomware attack.

Medusa's public data leak site also listed Denver-based nonprofit Water for People, which provides drinking water and sanitation services to communities in nine countries around the world. A Water for People spokesperson told cybersecurity news outlet The Record that the affected data predated 2021, and more importantly, the attack did not disrupt business operations.

U.S. government agencies have issued multiple advisories of increasing threats against critical infrastructure organizations. Earlier this month, CISA, the National Security Agency and the FBI warned that a Chinese nation-state threat actor known as Volt Typhoon had compromised organizations in the communications, energy, transportation systems, and water and wastewater sectors. U.S. agencies also confirmed that the threat actor has been hiding in some victims' IT environments for at least five years to maintain access in preparation for any major conflict that could arise with the U.S.