Critical Infrastructure Security , Cybercrime , Endpoint Security
Hackers Target Wind Turbine Manufacturer Nordex
Company Initiates Complete Shutdown of IT Systems; Attack May Link to ViasatGerman wind turbine manufacturer Nordex has switched off its IT systems in multiple locations after a reported cybersecurity incident. The company says that customers, employees and other stakeholders may be affected by the shutdown.
See Also: Guide to Strengthening Mainframe Security
The Nordex Group, along with its subsidiaries, develops, manufactures and distributes wind power systems across the world.
"On 31 March 2022, Nordex Group IT security detected that the company is subject to a cybersecurity incident. The intrusion was noted in an early stage and response measures were initiated immediately in line with crisis management protocols. As a precautionary measure, the company decided to shut down IT systems across multiple locations and business units," the company says.
According to Nordex, an incident response team of internal and external security experts has been assembled to contain the issue, prevent further propagation and assess the extent of potential exposure.
“By them shutting down their IT systems as a precaution measure, this suggests that they are currently dealing with a significant issue and hopefully over the coming days, weeks and even months they will be able to provide more information so that similar organizations can use this information to better their own defenses against similar attacks,” says Cliff Martin, cyber incident responder at GRCI Law.
In response to its request for comment, Information Security Media Group received an auto-generated reply from Nordex, saying that the company would get back with more details as soon as possible, adding: "Due to the current circumstances, we kindly ask for your understanding that response might take some time."
Henrik Moltke, a tech correspondent at Danish Broadcasting - or DR - on Sunday tweeted his doubts regarding this attack, saying "Nordex, another major wind turbine manufacturer hit by 'cyber incident'(normally meaning ransomware). Note that the release comes two days after the attack - and no mention of OT systems."
Moltke also says that several green energy companies have been targeted lately and asks if this is a coincidence.
Nordex, another major wind turbine manufacturer hit by ‘cyber incident’ (normally meaning ransomware). Note that the release comes two days after the attack - and no mention of OT systems. I’m also noting that a lot of green energy companies were targeted lately. Coincidence?pic.twitter.com/AOwmbci6Nj
— Henrik Moltke (@moltke) April 2, 2022
Similar Incident
This attacks follows the control failure on thousands of Enercon wind energy converters, which has still not been fully resolved. On Friday, Enercon announced that more than 85% of wind turbines are now back online following disruption to satellite communication.
"1,101 wind farms are back online, communication continues to be disrupted in 193 wind farms (as of 1 April). Service teams in the Central Europe (CNE) region are currently working around the clock in a large-scale concerted action to rectify the problem, which emerged on 24 February following a cyberattack on the KA-SAT satellite," Enercon says.
On the morning of Feb. 24, when Russia invaded Ukraine, American communications company Viasat reported that it had suffered an online attack that disrupted access to numerous terminals. The disruption occurred at about the same time as Russian tanks began to roll over the border and missiles started hitting Ukrainian targets.
That attack has not been attributed to any group or government, but security experts say that some Ukrainian weapons systems and defenses may rely on satellite-based communications for command and control.
One knock-on effect of the Viasat outage was that it disrupted about 5,800 wind turbines operated by Germany's Enercon across central Europe, Reuters reported. The operational technology impact prevented remote monitoring and control of the turbines.
"The exact cause of the disruption is not yet known," Enercon reported on Feb. 28, before the Viasat outage became known. "The communication services failed almost simultaneously with the start of the Russian invasion of Ukraine."
Viasat subsequently reported on March 1 that the "partial network outage" was "impacting internet service for fixed broadband customers in Ukraine and elsewhere" that rely on the Viasat telecommunications satellite known as KA-SAT, which serves 55 countries across Europe and part of the Middle East. It blamed the disruption on a "cyber event" that it said remained under investigation.
The disruption of tens of thousands of Viasat consumer broadband modems may have involved wiper malware, according to a report from SentinelOne security researchers Juan Andrés Guerrero-Saade and Max van Amerongen on Thursday, based on a sample of the malware they spotted, which they've dubbed "AcidRain" (see: Viasat Confirms 'AcidRain' Malware Could Have Wiped Modems).
Latest Update on Viasat
On Wednesday, Viasat published an update on its probe of the outage, which affected some users of the KA-SAT satellite communications, or SATCOM, network it operates. Specifically, it says attackers knocked offline approximately 30,000 residential broadband modems sold under the Tooway brand, and provided by Italy-based Skylogic, which is a subsidiary of French satellite operator Eutelsat (see: Viasat Traces Outage to Exploit of VPN Misconfiguration).
"This cyberattack did not impact Viasat's directly managed mobility or government users on the KA-SAT satellite," Viasat says in its overview and incident report. "Similarly, the cyberattack did not affect users on other Viasat networks worldwide."
Viasat, which provides the modems on a wholesale basis to distributors, says it has already shipped 30,000 replacement modems and that more are available if required. The company says the original modems were not destroyed or bricked but rather knocked offline via a series of commands sent by attackers.
No Attribution Yet
The attack has yet to be attributed to any nation-state or attack group, although Russia or a close ally remain, obvious suspects (see: Russia May Have Caused Widespread Satellite Network Outage. Further tying the attack to Russia, and its invasion of Ukraine, Martin Jartelius, CSO at Outpost24 says, "We can see how attacks against satellite controls for wind power, predominantly in Germany, have already been affected in the conflict in Ukraine. Energy is a central part of the geopolitical developments in Europe, and the cyber domain is still a safe way for the involved parties to cause a destabilization against each other without open conflict. Most likely this is just a ransomware attack that got detected and prevented in its early phases which is very well done, the timing and the industry however is in combination with the other elements of the current uncomfortable situation."
This is a developing story. Further updates will be published as they become available.