European wind-energy sector hacking linked to Conti ransomware group

The companies attacked haven't publicly attributed the hacks to a particular criminal group or country and Russia has consistently denied that it launches cyber attacks.

According to Christoph Zipf, a spokesman for WindEurope a Brussels-based industry group, the timing of the attacks suggests potential links to supporters of Russia’s invasion of Ukraine.

Serious cyber attacks on industrial equipment aren’t common and take significant knowledge to prepare, according to security experts.

The three companies targeted in the attacks are all based in Germany, The Wall Street Journal reported.

Deutsche Windtechnik AG, which specialises in the maintenance of wind turbines, was hacked in April. Remote-control systems for about 2,000 wind turbines in Germany were down for about a day after the attack, according to the company.

Turbine maker Nordex SE said it discovered a security incident on 31 March that forced it to shut its information-technology systems.

Conti, a ransomware group that has declared support for the Russian government, said this month that it was responsible for the attack.

Another turbine maker, Enercon GmbH, claimed it was “collateral damage” in an attack on a satellite company in February that happened “at almost exactly the same time that Russian troops invaded Ukraine”. The attack knocked out remote control of 5,800 of Enercon’s wind turbines, though they continued to operate on auto mode.

Matthias Brandt, director of Deutsche Windtechnik, is pushing for “higher IT security standards” because the growing renewable-energy sector will become a bigger target for hackers.

VIEW ALL

“The crisis in Russia and Ukraine shows us that renewables are replacing oil and gas in the future,” Brandt said.

The European Union started reducing Russian energy imports this month as member countries considered alternatives such as nuclear power or speeded up plans to move to renewable energy after years of relying on Russian oil and gas.

Germany, Europe’s biggest economy, has rejected EU-wide sanctions on Russian fuel, arguing such a move would damage the German economy.

The country moved up its plan to reach nearly 100 per cent renewable energy electricity by 2035 and wean itself off Russian oil and coal imports this year. A German official disclosed in late March that Russia accounted for 40 per cent of the country's natural-gas imports, down from 55 per cent four weeks earlier but still substantially above the EU average.

Cyber security experts working with Deutsche Windtechnik are investigating whether the ransomware attack used Conti malware, Brandt further explained.

Chats from Conti ransomware users leaked online last month revealed connections to Russian security services. The hackers also discussed targeting organisations they consider to be working against Russia.

According to Jim Guinn, who leads consulting firm Accenture PLC’s global cyber security business for energy, utilities, chemicals and mining, US utilities aiming to provide alternative energy to Europe have also been targets.

In WSJ reports, Guinn explained that at one US-based liquefied-natural-gas company he has worked with, scanning by outside groups for cyber security flaws has tripled over the past month.

Trond Solberg, managing director for cyber security at Norwegian risk-management company DNV GL further explained that a hacker who manages to infect the industrial equipment that controls wind turbines could manipulate the machines’ brakes to stop power production.

“That could disrupt services to customers and revenue for producers.

“A simpler strike on local internet-connected services could interfere with the remote monitoring systems of wind farms,” Solberg said.

The attack on Deutsche Windtechnik hit internal IT systems, not the industrial systems that control its turbines, according to Brandt, who found out the company’s systems weren’t working properly when the technology department called him around 6am on 12 April. An hour or two later, IT staff drove to a data centre in northern Germany to find Deutsche Windtechnik had been hit with ransomware the previous night.

Machines displayed codes that looked like hieroglyphs, Brandt continued, indicating servers had been encrypted with malware. Later that day, employees found an electronic note from hackers instructing the company to contact them to restore their data.

By the next day, Deutsche Windtechnik had resolved most of the issues and didn’t reach out to the hackers.

Guinn at Accenture PLC added that as European countries move away from Russian energy, key alternative sources will be wind farms in Germany and the North Sea.

“Hackers that have pledged to attack opponents of Russian interests are taking aim at companies working with those alternatives.

“This is a bit of a long game.

“This is a chess match – this isn’t smash and grab,” Guinn said.

Brandt confirmed to WSJ that around 90 per cent of Deutsche Windtechnik’s staff email accounts have been restored.

“The company will need a few weeks to bring back parts of its enterprise software that IT staff shut down out of caution.

“Customers and clients may not see it, but internally it is a lot of work,” Brandt said.

Brandt doesn’t yet know how much the incident will cost Deutsche Windtechnik.

[Related: Lack of talent behind slow NSW government cyber security expansion]