The news was officially made public by Creos’ parent company Encevo Group late last month after the BlackCat ransomware group claimed to have successfully targeted the Luxembourg-based energy company. While the energy supply to customers remains uninterrupted, the ransomware gang still has 150 GB of Creos data and is threatening to publish it online.
Encevo Group said that “a number of data were exfiltrated from computer systems or made inaccessible by hackers,†which aligns with typical ransomware attacks.
The company operates a natural gas pipeline and electricity network in five European countries. However, the number of users whose data was exfiltrated remains unclear.
Paul Prudhomme, head of threat intelligence advisory at Rapid7, told Spiceworks, “Due to the criticality and potential socio-economic impact an attack can have, critical infrastructure organizations such as Creos Luxembourg S.A. are popular targets for ransomware groups. Our research has shown that since April 2020, the energy & industrials sector has had the second highest number of ransomware incidents by industry.â€
Indeed, attacks on critical infrastructure have the potential to disrupt day-to-day activities and cause temporary but widely-felt economic upheaval. The attack on the largest oil pipeline operator in the U.S., Colonial Pipeline, caused shortages on the country’s east coast and spiked oil prices by 4%. BlackCat is believed to have ties to Colonial Pipeline hackersOpens a new window DarkSide/BlackMatter.
Even though the energy supply to Creos customers is uninterrupted, the BlackCat gang claims it has stolen 180,000 files totaling 150 GB, according to a post on the BlackCat extortion/leak site. The BlackCat gang, also known as ALPHV, said the data includes contracts, agreements, passports, bills, and emails and threatened to leak it on Monday.
#AlphvOpens a new window aka #BlackCatOpens a new window claims to have hit a pipeline operator: Creos Luxembourg which operates both natural gas pipelines and electricity networks in the Grand Duchy. 1/3 pic.twitter.com/P9P7l6eGlKOpens a new window
— Brett Callow (@BrettCallow) July 29, 2022Opens a new window
Trevor Dearing, director of technology at Illumio for EMEA, told Spiceworks, “Cybercriminals understand that attacks on the commercial side of organizations that have the potential of leaking across to the production network increases the likelihood of ransom demands being met.â€
He added, “What’s more, in this case, BlackCat posted details of the attack on their extortion platform, further piling the pressure on their victims to pay the ransom to have this retracted.†The ransomware syndicate’s new searchable leak site, ALPHV Collections, was designed precisely for this purpose, i.e., to pressurize victims into paying up.
The Encevo Group said it is still determining the attack’s scope and investigating if any personal data was exposed. The company advised customers to update their login credentials.
“This double-extortion tactic means that organizations need to go beyond just back-ups in order to protect themselves against ransomware attacks,†Prudhomme added. “Businesses should also implement file encryption – rendering files unreadable to unauthorized eyes – and implement network segmentation to limit lateral movement and mitigate the impact of such attacks. Double extortion is becoming more and more popular among cybercriminals. Therefore, organizations must have the appropriate defenses in place to combat the modern threat.â€
One thing missing from the post is the ransom demand by BlackCat, so there’s no clear timeline of what to expect.
Since its emergence until March 2022, the FBI said the BlackCat ransomware gang targeted 60 organizationsOpens a new window globally, including German petroleum and chemical logistics companies Oiltanking and Mabanaft Group. BlackCat also exploited the second-most number of vulnerabilities in Q1 2022, according to Cyber Security Works and Ivanti.
MORE ON RANSOMWARE ATTACKS
- A Year After Colonial Pipeline Hack, Two German Fuel Logistics Giants Suffer Cyber Attacks
- U.S. Agencies Seize $500,000 From North Korean Hackers, but the War Is Far From Won
- Former Conti Members Are Now BlackBasta, BlackByte and Karakurt Members
- 65% of Ransomware Victims Faced Double Extortion: Titaniam Report