A ransomware attack last week hit the North American operations of massive water and wastewater systems operator Veolia, illustrating the ongoing threat to the critical infrastructure sector by cybercrime groups.

Veolia officials said in a note this week that the attack affected software and systems in their North America Municipal Water division. They also wrote that the personal information of “a limited number of individuals” also may have been impacted, though they didn’t say whether those affected were customers, Veolia employees, or partners.

“In response to this incident, we implemented defensive measures, including taking the targeted back-end systems and servers offline until they could be restored,” they wrote.

The attack by the ransomware group was confined to Veolia North America’s internal back-end systems and doesn’t seem to have affected its water or wastewater treatment operations. That said, some customers saw delays when trying to use the company’s online bill payment systems.

“Those systems are working normally again,” the officials wrote. “Any payments made during this event have been applied, and customer accounts should reflect the most updated information. Customers will not be penalized for late payments or charged interest on their bills due to this service interruption.”

No threat group has claimed responsibility for the attack.

Water Systems in the Crosshairs

The attack on Veolia North America comes around the same time that several U.S. federal agencies released guidelines to help water and wastewater system operators in the country better respond to cyberattacks and as Southern Water, a major operator in the UK, said it was attacked by the Black Basta ransomware group.

It’s also part of a larger trend of cybercriminals targeting water and wastewater companies, which includes the attack in November 2023 by the Iranian-backed Cyber Av3ngers ransomware gang on the Aliquippa municipal water system in Pennsylvania.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) for several years has been warning about the focus threat groups are putting on water systems, one of 16 sectors the Biden Administration listed in its efforts to protect the country’s critical infrastructure from cyberattacks.

“The Water and Wastewater Systems sector is under constant threat from malicious cyber actors,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a statement when unveiling the security guidance that was developed by CISA, the Environmental Protection Agency, and the FBI. “In the new year, CISA will continue to focus on taking every action possible to support ‘target-rich, cyber-poor’ entities like WWS utilities by providing actionable resources and encouraging all organizations to report cyber incidents.”

A Unique Sector

In a blog post in December 2023, Kaja Ciglic, senior director of digital diplomacy at Microsoft, wrote that the water sector is a unique critical infrastructure sector because it comprises more than 100,000 public and private utilities, with the differences in sizes of these utilities leading to disparate levels of cybersecurity readiness.

“This leaves the sector especially vulnerable to cyberattacks,” Ciglic wrote, pointing to a Microsoft report about the issue. “Regardless of the size of the utility, cyberattacks that disrupt water services can have a damaging and cascading impact on things like access to safe and reliable drinking water and sewage management, as well as on other critical infrastructure sectors that rely on uninterrupted access to water in their operations, like hospitals and the energy sector.”

They also hold massive amounts of sensitive customer information, making them even more attractive targets.

Geopolitics in Play

The attacks on water systems are a growing concern. CISA – along with the FBI and National Security Agency (NSA), EPA, and Israel National Cyber Directorate in December 2023 issued an advisory warning that advanced persistent threat (APT) groups backed by Iran’s Islamic Revolutionary Guard – and Cyber Av3ngers in particular – were compromising programmable logic controllers (PLCs) made by Israeli company Unitronics that not only are widely used by water systems but also in other industries, including energy, healthcare, and food manufacturing.

The pro-Palestinian Cyber Av3ngers took responsibility for the attack of Aliquippa’s Municipal Water Authority, taking control of systems that monitor water pressure in nearby towns. While the drinking water wasn’t threatened, the systems were taken offline for a while.

In the attack on Southern Water in the UK, Black Basta reportedly posted some of the data it stole, including such personal information of customers as dates of birth and home and email addresses, on its leak site. Southern Water has about 2.5 million water customers and 4.7 million wastewater customers.

Veolia North America runs water systems throughout the United States and Canada and in the third quarter last year reported more than $2.7 billion in revenue.

In its note to customers, Veolia said that once it detected the attack, it scrambled its IT and security incident response teams. In addition, the company said it is working with law enforcement and third parties to investigate the attack.

“We are partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident and to examine additional measures we can take to help prevent incidents of this kind in the future,” the officials wrote. “We are putting our full resources behind these efforts.”