Dive Brief:
- A ransomware gang with direct ties to the group behind last year’s attack on Colonial Pipeline has struck again, this time hitting a Luxembourg-based critical infrastructure companies pipeline Creos and electricity operator Enovos.
- Encevo, the parent company of both business units, said data was exfiltrated during the attack between July 22 and 23, rendering the customer portals of Creos and Enovos non operational. The company said electricity and gas are still flowing to customers without interruption.
- Threat actor ALPHV, also known as BlackCat, claimed responsibility for the attack on July 29 in a post on a leak site and threatened to publish the data it stole on Monday.
Dive Insight:
ALPHV is the latest rebrand of the DarkSide ransomware group that attacked Colonial Pipeline in May 2021. It also attacked the Germany-based gas distributor Oiltanking in November 2021 and Swissport in February 2022.
The group claims it exfiltrated more than 150 gigabytes of sensitive data from Creos, including contracts, passports, bills and emails.
ALPHV historically demands a ransom as part of its cyberattacks, but no figure has yet been reported.
Brett Callow, the threat analyst at Emsisoft who published ALPHV’s leak site post on Twitter, said the group is increasingly active and probably as busy as the prolific LockBit ransomware group. Affiliates of LockBit were recently observed infiltrating on-premises servers to spread malware on targeted networks.
ALPHV claimed dozens of victims in the first few months after it was initially detected in November 2021. It typically targets large organizations, and has hit multiple areas of critical infrastructure.
“Threat actors may believe that attacking energy companies at a time when the energy supply chain is already stressed increases their likelihood of a payout,” Callow wrote in response to questions.
However, he added, the more likely rationale for ALPHV’s latest attack, as with the majority of all attacks, is opportunistic and non-targeted.
“The incident underpins the fact that ransomware is still very much a threat to the energy sector and has the potential to disrupt supply,” Callow wrote.
Encevo said its investigation into the incident is ongoing and it will contact customers that might be impacted. The company has energy supply operations in five European countries, and is the largest energy firm in Luxembourg, providing more than 285,000 customers with electricity and 47,000 with natural gas.