|
|
|
  
1/19/2026
WT Staff
 Got water questions? Give us a call at 877-52-WATER (877-529-2837), or email us at info@wtny.us
Monday, January 19, 2026 611 pm EST
The leader of Black Basta, a ransomware gang believed responsible for costly attacks on water utilities, has been identified. Europol and Interpol on the lookout for the 35 yr old Russian national
How water utilities will be defending against cyber-attacks in 2026
Whoever said "Crime doesn't pay", clearly wasn't referring to cyber-villainy. Hackers are scoring higher profits every year, according to IBM. The average global data breach in 2024 hit USD $4.88 million, an increase over prior years. In the UK, large water utilities have been struck, paying out higher than the global average for ransomware attacks. Encouraged by record profits, hackers are not slowing down. Analysts at programs.com Cybersecurity training center expect the tally for global cybercrime could make 1.5 trillion for 2025.
What do "Black hats" have in common with "BlackCats"? It's cybercrime, an ongoing concern for National Critical Infrastructure.
Hats here refers to types of hackers; the individuals and gangs plying for (mostly) unauthorized access to government, industry and private data and operational systems, with varying approaches. Black hats are opportunistic. Straight-up robbers, they scan for open ports, break through and snatch records, customer data, or swipe control of the system console. Payment is demanded, to return controls, functions and data to the authorized user. Black hats include ransomware gangs, like BlackCat and Black Basta, notorious for their profitability. Grey hats break in to computer systems for the sheer fun of disrupting operations, demanding no reward beside the bragging rights. White hats are hackers with a different approach. The white hat scans for cracks in the cyber-defenses of the wealthiest companies, claiming and receiving monetary rewards for successful access, along with the fix. DeepStrike is a hacker collective formed in 2016. Their home page claims they have been rewarded millions from Fortune 500 companies for revealing their weak spots. In all cases, the targeted organization will learn from the experience, adapt and mitigate the risk of future attacks.
Bill Toulas is a tech writer/infosec news reporter published in the Bleeping Computer online tech journal with more than a decade of experience covering malware and data breach incidents. Just last week, Jan 16, 2026, Toulas reported police in Germany have identified the leader of the Black Basta ransomware gang. With gang chat records leaked to the public, Ukraine police have identified two more gang members, all are wanted by Europol and Interpol. Black Basta is believed responsible for at least 600 cybercrimes, including ransomware attacks on water utilities and other large organizations globally. One such incident in 2024 cost a UK water utility more than USD $6 million in expenses to resolve and recover controls and data.
According to the FBI, ransomware groups like BlackCat and Black Basta capitalize on captured user credentials (system passwords) to gain access to an organization or institution's computer system or network. "Initial deployment of the malware...disables security features within the victim's network," says an FBI alert on another ransomware attack. The attacks are increasing as the profits in cybercrime increase. Double or multiple ransom is when the attacker ties up the operating system and demands payment to return the controls to the operator at the desk. At the same time, the attacker has acquired sensitive customer records, including payment information and service addresses, further extorting the utility to pay for the return of data, or selling the data to the highest bidder.
National Critical Infrastructure - Zero Trust Environments
Public water systems, like other facilities, increasingly operate with automated systems and software enabling remote access. Manual controls have been replaced by programmable logic controllers, encompassing the entire process from the raw water intake to the pumps that maintain a safe and steady pressure in the distribution mains. The IoT (Internet of Things), equipment and devices connected to each other and to the web, increase efficiency, accuracy and convenience, there is no doubt. At the same time, a continuous web connection leaves the water utility vulnerable. Every component in the modern water plant that can be accessed by a remote operator or tech support agent opens a prospective route of entry to the facility. When that route of access is available at all times, continuous and unmonitored, the facility sits wide open and vulnerable to incursion, as if staff had left the front door standing wide open.
Securing the plant amounts to limiting the windows of access for authorized users, while cutting off opportunities for breach. Diligent IT and OT operators routinely change the default ports and settings on devices connected and operating within the facility, including the monitor in the lunch room and the security cameras in the halls. With a clear sense of the digital field, being mindful that every connected device represents an opening in the facility, the threat vulnerability can be reduced.
Goldilock Secure Ltd. tackles cybercrime with a physical response to a connectivity issue. As Goldilock co-founder Stephen Kines explained in an interview with WT, the just-right cybersecurity solution is a physical response to a digital incursion. Goldilock's patented Firebreak™ technology creates a single digital point of entry to the protected facility.
Kines explains, it works like the drawbridge on a fortress, monitored carefully by snipers when it is open, securing the fortress when it is raised. The device separates equipment and functions in the water plant into zones. When a threat is detected in a particular zone, the Firebreak™ can break connection, digitally isolating the infected zone from the internet and other zones within the fortress/facility. In most cases, even while under a cyber-attack, the water plant can go on operating with no loss of power or function.
Stephen Kines and Tony Hasek have covered a lot of ground together. Canada's Armed Forces sent these men on assignments around the world, where their boots-on-the-ground acts secured facilities from hostile forces. Military experience has indelibly shaped their approach to digital security. Tony invested years and millions of dollars to develop the device. Firebreak™ is a humble black box with ports for plugging in up to 12 connected components. Within the box is a physical circuit breaker, able to take specific connections offline without disrupting the power supply and operations.
The circuit breaker technology has been adopted by York Water in the UK, where ransomware threats are ever present. Goldilock has logged two years supplying NATO, the Firebreak™ technology proving its value in successfully defending Ukraine's energy utilities during Goldilock's watch. A ringing endorsement landed in October 2025, when Firebreak™ beat 7000 competitors' technologies, being named Grand Winner of Singapore's SLINGSHOT 2025. Goldilock is blazing brightly upward with a rapid roll out plan, engaging channel partners to distribute the technology globally.
Cybersecurity, says Kines, is all about minimizing the facility's vulnerability, minimizing the overall risk exposure. For critical operating systems such as public drinking water facilities, this means reducing the total surface area of connected components. This approach requires an examination of the utility or factory's need to be connected. Each component, sensor, camera enabled for the Internet of Things (IoT) should be evaluated for the need to be accessible via the web. If a connection is required for remote access by authorized users, including tech suppliers that need to perform maintenance, these access opportunities can be scheduled. Considering hackers are always scanning for an open and unattended entry point, it is advised to lower the drawbridge only when necessary. As such, Goldilock counsels facilities to limit the exposure timeline, letting the threat detection software do its work, limiting connection time to brief windows.
The Firebreak™ device is controlled independently of the internet. When a breach or an anomaly is detected, the facility operator is alerted on a cell phone. The operator can then signal the Firebreak™ device from the cell phone to execute a "sniper kill switch", says Kines, effectively and immediately disconnecting the infected section from hacker access. "The action is like a keyhole surgery, rather than a full amputation", says Kines. Defensive action is ordered by SMS, text message, immediately isolating critical processes from the reach of a digital attack. The reboot process is just as straightforward. Kines says anyone can install the technology. Goldilock Chief Technical Officer reports his Grandmother installed Firebreak™ in 7 minutes. Not too bad, really. The hackers can't roll with this kind of response.
As a last word, we asked an original 2600 group member and brilliant cybersecurity agent how to keep the water plant safe from hackers.
"Just shut the thing off," he says.
Have you noticed, the developers of all these connected conveniences are the very people we find still using flip phones and paying cash for their coffee? Something to think about.
See the previous WT article, CYBER-SECURE WATER SUPPLY, here.
See the previous WT article, CYBER101 TRAINING FOR CYBER-HYGIENE, here.
What is Malware?
Malware, or "malicious software" is an umbrella term that describes any malicious program or code that is harmful to computers and connected components/systems. Ransomware, spyware, worms, Trojan horses and phishing are forms of malware.
According to Malbytes online,
Malware is "Hostile, intrusive, and intentionally nasty", it "seeks to invade, damage, or disable computers, computer systems, networks, tablets, and mobile devices, often by taking partial control over a device's operations. Like the human flu, it interferes with normal functioning."
Cybersecurity in the USA - NICE
NICE (National Initiative for Cybersecurity Information)
Established in 2008 through the Comprehensive National Cybersecurity Initiative "to make the federal workforce better prepared to handle cybersecurity challenges". In May 2009, the effort was extended to private sector workforce.
The mission of NICE is to energize, promote, and coordinate a robust community working together to advance an integrated ecosystem of cybersecurity education, training, and workforce development. NICE fulfills this mission by coordinating with government, academic, and industry partners to build on existing successful programs, facilitate change and innovation, and bring leadership and vision to increase the number of skilled cybersecurity professionals helping to keep our Nation secure.
Cybersecurity Enhancement Act of 2014 Title IV established "National cybersecurity awareness and education program" led by NIST, formally establishing the NICE office.
See also:
National Security Agency
NSF - National Science Foundation
National Cybersecurity Training and Education Center
NIST National Institute of Standards and Technology
USA CISA Cybersecurity and Infrastructure Security Agency puts out official alerts and statements on ransomware, malware, phishing.
Actions for Organizations to Take Today to Mitigate Cyber Threats Related to Interlock Ransomware Activity
1. Prevent initial access by implementing domain name system (DNS) filtering and web access firewalls, and training users to spot social engineering attempts.
2. Mitigate known vulnerabilities by ensuring operating systems, software, and firmware are patched and up to date.
3. Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization.
4. Implement identity, credential, and access management (ICAM) policies across the organization and then require multifactor authentication (MFA) for all services to the extent possible.
Cybersecurity in Canada
The Canadian Centre for Cyber Security (the Cyber Centre) is part of the Communications Security Establishment Canada. It is the single unified source of expert advice, guidance, services and support on cyber security for Canadians.
Cyber Centre posts alerts, offers guidance and fee-based training programs for individuals, private business and government agencies and institutions.
See Canadian Centre for CyberSecurity, here.
Canadian Anti-Fraud Centre
RCMP National Cybercrime Coordination Centre implements the National Cyber Security Strategy
RCMP and Canadian Police services work with national and international partners to find and apprehend offenders
The Criminal Code of Canada lists the following offences related to cybercrime and Distributed Denial of Service attacks:
- fraudulently obtaining, using, controlling, accessing or intercepting computer systems or functions
- obstructing, interrupting or interfering with the lawful use of computer data or to deny access to computer data to a person who is entitled to access it
- fraudulently obtaining any computer services, intercepting any function of a computer system – directly or indirectly – or using a computer system or computer password with the intent to do either of the offences above
|
|
|
|
All rights reserved 2025 - WTNY - This material may not be reproduced in whole or in part and may not be distributed,
publicly performed, proxy cached or otherwise used, except with express permission.
|
|
