Luxembourg energy companies struggling with alleged ransomware attack, data breach

Two companies based in Luxembourg are grappling with an alleged ransomware attack that began last week, the latest in a string of incidents involving European energy companies. 

Encevo Group said its Luxembourg entities Creos – an energy network operator – and the supplier Enovos were “victims of a cyberattack on the night of July 22.”

The company said the attack took down customer portals for both companies but did not affect the supply of electricity and gas. 

Encevo is owned by the government of Luxembourg and several other companies, including China Southern Power Grid International. Creos helps run the country's electricity and gas network infrastructure, while Enovos is Luxembourg's main supplier.

Creos confirmed in a statement last week that its phone lines were down but the company declined to elaborate further on Monday.

Alongside the disruptions, Encevo Group wrote in a July 28 press release that a “certain amount of data was exfiltrated from computer systems or made inaccessible by hackers.”

“The group is currently making every effort to analyze the hacked data. For the moment, the Encevo Group does not yet have all the information necessary to personally inform each person potentially concerned,” the company said. 

“This is why we ask our customers not to contact the group's services on this subject for the time being. A website has been set up and will be updated as the situation evolves.”

On the website, Encevo said it filed a complaint with the Grand Ducal Police, and had notified Luxembourg’s National Commission for Data Protection, as well as the Luxembourg Institute of Regulation and other “competent ministries.”

Emsisoft threat analyst Brett Callow said the Alphv ransomware group – also known as BlackCat – took credit for the attack on its leak site. 

The group claims to have stolen 150 GB of data that they said includes contracts, passports, bills and emails. They threatened to leak the data on Monday but as of the afternoon, no data had been released. 

The European Union Agency for Cybersecurity released a report on Friday with the findings of an analysis of 623 incidents in the EU between May 2021 and June 2022. It found that 10TB of data was stolen and exfiltrated per month during ransomware attacks, while more than 60% of organizations may have paid a ransom.

According to Callow, Alphv is a rebrand of the prolific BlackMatter ransomware group, which itself was allegedly a rebrand of the DarkSide ransomware – a gang accused of launching the headline-grabbing attack on Colonial Pipeline. 

A representative of the group spoke to The Record in February, claiming that most of the major ransomware groups are connected in one way or another. 

“Let’s just say: ‘We [have] borrowed their advantages and eliminated their disadvantages,’” the representative said, referring to Alphv's relationship with other incarnations of the gang.

The targeting of the Encevo Group entities is one of many recent attacks on European energy companies, which have increased significantly over the last year. German wind farm operator Deutsche Windtechnik was crippled in April by a cyberattack while German wind turbine maker Nordex was forced to shut down its IT systems across multiple locations and business units after it was hit with a cyberattack on March 31.

The Nordex incident followed a cyberattack on satellite communications company Viasat that caused the malfunction of 5,800 Enercon wind turbines in Germany.

In February, European prosecutors and cybersecurity officials began investigating a ransomware attack affecting several major oil port terminals that targeted organizations in Belgium, the Netherlands, and Germany, including some of the largest ports in the region.

Oil companies Oiltanking and Mabanaft, both owned by German logistics conglomerate Marquard & Bahls, suffered a cyberattack that crippled their loading and unloading systems in February. Oiltanking said it "declared force majeure" due to the attacks. 

The attacks forced Shell to reroute oil supplies to other depots. German newspaper Handelsblatt said 233 gas stations across Germany now have to run some processes manually because of the attack.

An internal report from Germany’s Federal Office for Information Security said the BlackCat ransomware group was behind the cyberattack on the oil companies. 

Callow noted that while neither the gas nor electricity supply was disrupted by this attack on Creos and Enovos, they could have been.

“Colonial Pipeline, for example, didn’t stop moving oil because its pumps didn’t work in the attack, but because its billing system was knocked out,” Callow said. 

An FBI alert released in April said the law enforcement organization had tracked at least 60 ransomware attacks by the BlackCat group as of March. 

The white notice also said BlackCat is the first ransomware group to attack this many victims successfully using RUST, a programming language that many consider to be more secure than others.