Cyber Incident Victim: Alto Calore Servizi S.p.A.

On or around April 28, 2023, the Italian water utility Alto Calore Servizi SpA publicly disclosed it was experiencing significant technical disruptions following a ransomware attack. The company, which is responsible for the collection, supply, and distribution of drinking water for 125 municipalities across the Avellino and Benevento provinces in southern Italy, also manages sewage and purification services for the region. The attack rendered all of the company's IT systems unusable. An official statement from the organization announced that it would not be possible to carry out any operations or provide information that required querying its database. The company communicated that updates on the restoration of its systems would be provided through press outlets and apologized for the outage. Initial indications were that the core distribution of water to its customer base of nearly 500,000 people was not directly affected by the incident, though the full operational impact of the IT system failure was not immediately detailed.

The Medusa ransomware group claimed responsibility for the attack on Tuesday, following the company's Friday disclosure. The group issued a ransom demand, giving the water company a seven-day deadline to pay. Medusa presented Alto Calore Servizi with several payment options: paying $10,000 would extend the ransom deadline by one additional day, while paying $100,000 would result in the deletion of all the data the group claimed to have stolen. To substantiate their claim, the ransomware group provided samples of the exfiltrated data. The data allegedly stolen included a wide array of sensitive company information, such as customer data, contracts, minutes from board meetings, various reports, pipe distribution information, and expansion documents. The company did not respond to requests for comment regarding whether it intended to pay the ransom or when its systems were expected to be restored.

This incident against a critical public service provider in Italy was part of a broader pattern of attacks targeting the country's infrastructure. In the year preceding the attack on Alto Calore Servizi, Italy's tax agency was attacked by the LockBit ransomware group in July 2022. Shortly thereafter, in September 2022, the Italian energy agency responsible for managing the country's electricity market was also hit by a ransomware attack. Furthermore, two of Italy's largest energy companies, Eni and Gestore dei Servizi Energetici, dealt with ransomware incidents during the previous year. This trend extended back to 2021 when ransomware groups targeted one of the country's COVID-19 vaccine portals, demonstrating a persistent focus on high-impact public sector and essential service targets.

The attack on Alto Calore Servizi also aligned with a global increase in cyber incidents targeting water and wastewater systems. In August 2022, South Staffordshire Water in England, which supplies water to more than 1.7 million people, was severely damaged by a ransomware attack. Multiple water suppliers across the United States have also dealt with ransomware incidents. U.S. law enforcement agencies reported that ransomware gangs had successfully compromised five U.S. water and wastewater treatment facilities between 2019 and 2021, a figure that did not include three other widely publicized cyberattacks on water utilities. Officials from the U.S. Environmental Protection Agency (EPA) stated in March 2023 that ransomware had become a significant concern due to a marked increase in attacks. These incidents included attacks that shut down critical treatment processes, locked up control system networks with ransomware, and disabled communications infrastructure used to monitor and control distribution systems, such as pumping stations.

In response to this growing threat, the U.S. EPA passed new rules in 2023 mandating that cybersecurity assessments be included as part of the regular state audits of public water systems. However, this regulatory action faced legal challenges from the attorneys general of Iowa, Arkansas, and Missouri. These officials filed lawsuits arguing that the cybersecurity improvements necessary to pass the new assessments would impose excessive costs on water suppliers, who would in turn be forced to pass these costs on to their customers. This legal pushback highlighted the ongoing tension between the imperative to strengthen cybersecurity for critical infrastructure and the financial and operational realities faced by public utility providers. The incident at Alto Calore Servizi served as an international example of the vulnerabilities within the water sector and the disruptive potential of ransomware attacks against essential services that support public health and safety.