Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service
Conti Claims Responsibility for Nordex Breach
Wind Turbine Maker Forced to Shut All IT SystemsOn March 31, a cybersecurity incident forced German wind turbine manufacturer Nordex to switch off its IT systems at multiple locations and across several business units. While the company did not offer details on the type of attack or the perpetrator at that time, ransomware gang Conti on Saturday claimed responsibility for the attack, and the Russia-affiliated threat group added Nordex to its data leak site - Conti News.
See Also: Top 10 Actions During a Ransomware Attack
On April 12, Nordex said its investigations into the incident were ongoing and that the company was continuing to restore its IT systems.
What Happened
On March 31, Nordex Group's IT security team detected a cybersecurity incident, according to a statement the company issued on April 2. "The intrusion was noted in an early stage and response measures were initiated immediately in line with crisis management protocols. As a precautionary measure, the company decided to shut down IT systems across multiple locations and business units," the company said at the time.
In the April 12 update, the company gave more details about the impact of the cyber incident and the corresponding incident response initiated by Nordex. "To safeguard customer assets, remote access from Nordex Group IT infrastructure was disabled for turbines under contract. Nordex turbines continued operating without restrictions and wind farm communication with grid operators and energy traders was and remains unaffected," the update says.
As part of immediate business continuity measures, the company set up and activated alternative remote control services that it says "are now successfully implemented for most of the fleet."
Nordex, in association with the relevant authorities and both internal and external IT experts, has continued to perform extensive investigations and forensic analysis.
According to the preliminary results of the analysis, Nordex says that "the impact of the incident has been limited to internal IT infrastructure and there is no indication that the incident spread to any third-party assets or otherwise beyond Nordex' internal IT infrastructure."
The company continues to restore its IT systems and is looking to resume normal operations as soon as reasonably practicable, according to the statement.
In response to Information Security Media Group's request for updates, Nordex says, "Due to the current circumstances, we kindly ask for your understanding that response might take some time."
Conti Takes Responsibility
The Conti ransomware gang, which uses the Conti News website to name and shame its victims, first added Nordex Group to its victim list on April 11. Brett Callow, a threat analyst at security firm Emsisoft, tweeted about the claims that the ransomware gang had posted on its website.
According to the post, there are no data files added or published until now by Conti.
Similar Incident
This is not the only cyberattack on a German organization associated with wind turbine manufacturing and servicing in the recent past.
Deutsche Windtechnik, a specialist in the technical maintenance of wind turbines, between April 11 and 12 identified an external cyberattack on its IT systems.
According to a statement released by the company on Wednesday, "all systems were shut down for security reasons and the connections to all external systems were severed." The statement also says: "We are currently not available via email. According to our current state of knowledge, we assume that wind turbines are not affected by the attack."
The company assigned internal and external IT experts to secure and check the environment before bringing the systems back up. After a day of investigation, the company on Thursday confirmed a "targeted professional hacker attack," in its statement.
ISMG did not receive a response from the company on whether this incident was also associated with the Conti ransomware gang.
"Immediately after the attack was discovered, all remote data monitoring connections to the wind turbines were switched off for security reasons. These are now active again and we confirm that no wind turbines were affected by the attack. There is no danger for our customers and the operative business can be continued with small restrictions," the statement says.