Slovenian power company hit by ransomware

Slovenian power generation company Holding Slovenske Elektrarne (HSE) has been hit by ransomware and has had some of its data encrypted.

The attack

HSE is a state-owned company that controls numerous hydroelectric, thermal and coal-fired power plants.

The company has declined to share any details about the cyber intrusion, but has confirmed that operation of its power plants has not been affected.

“We would like to emphasize that the HSE had control over the power plants of the HSE group at all times, safety was also properly taken care of, and the high water alarm system also worked smoothly. Electricity trading has not been interrupted and is being carried out, but out of caution we have somewhat limited the execution of individual transactions,” said Dr. Tomaž Štokelj, General Director of HSE.

The attack did affect the company’s communication and information infrastructure and, according to Slovenian news outlet 24ur, the websites of some of the power plants were temporarily inaccessible.

Dr. Uroš Svete, the director of the Slovenian Government Information Security Office (URSIV), revealed during a press conference that a “software virus” has been used to encrypt data.

24ur also reported that:

• The attack was first detected on November 22 and has been immediately reported to the National Office for Cyber Incidents at the Slovenian CERT (Si-CERT)
• HSE had contained the initial attack with technical measures they’ve previously implemented, but “on the night from Friday to Saturday the incident became more intense and more widespread”. Outside experts have been also called in to work with HSE’s security team
• The incident was due to poor cyber hygiene (i.e., passwords stored in the cloud)

The ransomware used

24ur sources also say that the attackers used the Rhysida ransomware and “are probably connected to a group that works in collaboration with a state actor.”

The Slovenian national television has reported that the hackers are demanding millions in ransom, but there has not been any official confirmation of that claim.

Rhysida is a fairly new ransomware group that has been active since May 2023 and has targeted – among others – the Chilean Army, Prospect Medical Holdings, the British Library, and Energy China.

“Threat actors leveraging Rhysida ransomware are known to impact ‘targets of opportunity,’ including victims in the education, healthcare, manufacturing, information technology, and government sectors,” according to a recently released advisory by the CISA, FBI, and MS-ISAC.

“Open source reporting details similarities between Vice Society (DEV-0832) activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model.”

Critical infrastructure in the crosshairs

There has been a noted increase in cyber attacks targeting Europe’s energy grid in the last couple of years. Most recently, SektorCERT shared details about a wave of coordinated cyberattacks that targeted the Danish energy sector in May this year.

“When critical national infrastructure organisations suffer a cyberattack, there is a strong possibility they will disconnect the services they provide into society, which can have devastating effects on citizens,” Ryan McConechy, CTO of Barrier Networks, told Help Net Security.

“While the communications from HSE state that the attack has not compromised operations, data does appear to be encrypted, so the organisation will need to investigate this as a priority. With the data potentially in the hands of Rhysida, this could be sold on and used by nation state adversaries to harm Slovenia.

“Today, many critical national infrastructure organisations have moved away from manual operations, taking advantage of digital to improve the safety and efficiency of plants. But this introduction of automation has made these critical organisations more vulnerable to cyberattack. As a result, security must be rolled out in tandem with modernisation,” he concluded.