Italian water supplier serving 500,000 people hit with ransomware attack

An Italian company that provides drinking water to nearly half a million people is experiencing some technical disruptions following a ransomware attack.

Alto Calore Servizi SpA runs the collection, supply and distribution of drinking water for 125 municipalities Avellino and Benevento — two provinces in southern Italy. The government-run company also manages sewage and purification services for both provinces.

The company manages 58 million cubic meters of water a year. But on Friday, the company said a recent hack rendered all of their IT systems unusable.

“It will not be possible to carry out any operations or provide information that requires querying the database,” the company said.

“The restoration of the system will be related through press bodies. We apologize for the outage.”

The organization did not respond to requests for comment about whether customers are impacted by the incident, but it appears the distribution of water is not affected by the attack.

On Tuesday, the Medusa ransomware group took credit for the attack and said they were giving the water company seven days to pay a ransom. Medusa provided samples of the data it stole and, like with other victims, offered them several options: pay $10,000 to extend the ransom deadline one day or $100,000 to delete all of the data taken.

The group said it took customer data, contracts, minutes from board meetings, reports, pipe distribution information, expansion documents and more.

The company did not respond to requests for comment about when systems may be restored or if a ransom would be paid.

Italy’s public service organizations have faced off against ransomware gangs several times in the last year. The country’s tax agency was attacked by the LockBit ransomware group in July 2022 and the Italian energy agency that runs the country’s electricity market was attacked in September 2022.

Two of the country’s biggest energy companies, Eni and Gestore dei Servizi Energetici, also dealt with ransomware attacks last year. Ransomware groups even targeted one of the country’s COVID-19 vaccine portals in 2021.

Concerns have been raised globally about attacks on water suppliers following a string of incidents in several countries. South Staffordshire Water, which supplies water for more than 1.7 million people in England, was severely damaged by a ransomware attack in August 2022 while several water suppliers across the U.S. have dealt with ransomware incidents.

Several officials at the U.S. Environmental Protection Agency (EPA) said in March that ransomware has become a significant concern due to an increase in attacks, which included incidents that “shut down critical treatment processes, locked up control system networks behind ransomware, and disabled communications used to monitor and control distribution system infrastructure like pumping stations.”

U.S. law enforcement agencies said ransomware gangs hit five U.S. water and wastewater treatment facilities from 2019 to 2021 — and those figures did not include three other widely-reported cyberattacks on water utilities.

The EPA passed new rules this year mandating cybersecurity assessments be included as part of state audits of public water systems. But the rules are now facing lawsuits from attorneys general in Iowa, Arkansas and Missouri who claim the cybersecurity improvements needed to pass the assessments would be too costly for suppliers, who plan to pass the costs on to customers.