It is not unheard of for ransomware groups to publicly misidentify their victims. We saw such errors from the outset of groups publicly naming and shaming victims and leaking data. DataBreaches reported on a few such cases involving Maze and has reported on other misidentifications in other groups since then.
DataBreaches has occasionally contacted threat groups to ask them which victim they actually attempted to extort — the one that seems to be the source of the data or the one they named on their leak site. In all cases, the threat actors have responded that they did attempt to extort the actual victim but just erred in their leak site listing/attribution. This case may be an exception.
Victim-naming errors on leak sites, if repeated by researchers and analysts on social media, can harm uninvolved entities’ reputations.
Alexander Martin reports on a case involving Cl0p threat actors:
South Staffordshire Water “has been the target of a criminal cyber attack”, the company has confirmed.
In a statement, it stressed it was “still supplying safe water to all of our Cambridge Water and South Staffs Water customers”.
“This is thanks to the robust systems and controls over water supply and quality we have in place at all times as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis.”
The statement was released after a ransomware group known as Cl0p claimed to have hacked a different water company’s networks.
Read more at Sky News.
According to Bleeping Computer, the data dumped by Cl0p included a document sent to South Staffordshire PLC. In this case, then, the attackers may have attempted to extort the wrong company.
This article was updated post-publication to add Bleeping Computer’s finding.