UK Cybercrime Journal: Inside the Cl0p attack on South Staffs Water
What Happened:
On 11 May 2026, the UK Information Commissioner’s Office (ICO) fined South Staffordshire Water £963,900 after the Cl0p ransomware group lurked completely undetected in its network for nearly two years. Initial access reportedly occurred via a malicious phishing email in September 2020, which downloaded Cl0p’s Get2Loader malware and their SDBBOT backdoor to establish persistence. The breach itself, however, was only discovered two years later in July 2022 when staff began investigating IT performance slowdowns. South Staffs Water ultimately found out that 4.1 terabytes of data was exfiltrated and the personal data of 633,887 customers and employees being published in August 2022 on Cl0p’s Tor data leak site.
The ICO’s investigation also revealed a staggering list of systemic failures. The ICO exposed that South Staff’s outsourced Security Operations Center (SOC) was blind to 95% of the network and that they conducted zero internal or external vulnerability scans over an 18-month window. At the time of the attack they were still running Windows Server 2003 machines long after extended support ended. Further, two of their domain controllers were left completely unpatched against ZeroLogon (CVE-2020-1472), a critical, easily exploitable vulnerability published years before the intrusion.
Analyst Comment:
This case is a sobering look at the technical debt hiding inside the UK’s Critical National Infrastructure (CNI). A dwell time of nearly two years is practically unheard of in modern ransomware operations, and the TTPs used by the adversary points to a total breakdown of their defences. Cl0p didn’t need sophisticated, state-sponsored techniques or zero-days to pull this one off, they just walked back in through an infection that went undetected.
The ICO’s findings also reveal the reality that many UK organisations still treat cybersecurity as a set-and-forget compliance check rather than routine efforts to mature and upgrade systems or proactive measures to hunt and detect threats lurking inside the network.
Defensive Takeaways:
- Audit Your Outsourced SOC: As we learned from this incident, never assume the third-party security provider sees everything or is doing everything right. Establish audits to verify that endpoint telemetry and logs from your entire estate are actively ingested, retained, and monitored in the right platform.
- Harden Your Crown Jewels Against Old Flaws: Ensure that active directory and domain controllers are strictly monitored and prioritised for critical patches. Vulnerabilities like ZeroLogon remain a ransomware operator’s favourite tool for fast lateral movement and escalation to Domain Admin access. This is exactly what Cl0p and a dozen or so other groups use.
Relevant Sources:
- https://ico.org.uk/media2/xdrfahsw/south-staffordshire-plc-and-south-staffordshire-water-plc-monetary-penalty-notice.pdf
- https://therecord.media/uk-water-company-had-hackers-lurking-for-years
- https://www.bleepingcomputer.com/news/security/uk-fines-water-supplier-13m-for-exposing-data-of-664k-customers/
- https://www.theregister.com/cyber-crime/2026/05/11/ico-fines-south-staffordshire-963k-over-2022-breach/5237875
- https://www.theregister.com/security/2022/08/18/ransomware-attack-on-a-uk-water-company-clouded-by-confusion/1394557
Relevant CTI Resources
- https://malpedia.caad.fkie.fraunhofer.de/details/win.clop
- https://malpedia.caad.fkie.fraunhofer.de/details/win.get2
- https://malpedia.caad.fkie.fraunhofer.de/details/win.sdbbot
- https://www.crowdstrike.com/en-us/blog/cve-2020-1472-zerologon-security-advisory/
- https://github.com/BushidoUK/Ransomware-Vulnerability-Matrix/blob/main/GroupProfiles/Clop.md
- https://www.ransomware.live/group/clop
