Centrais Eletricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel), two major electric utilities companies in Brazil have announced that they suffered ransomware attacks over the past week.
State-controlled, both are key players within the country. Copel being the most important within the state of Paraná while Eletrobras is the largest power utility company in Latin America and also owns Eletronuclear, a subsidiary involved within the construction and operations of atomic power plants.
Both ransomware attacks disrupted operations and made the businesses to suspend a number of their systems, a minimum of temporarily.
Nuclear plants unaffected
In the case of Eletrobras, the incident occurred at its Eletronuclear subsidiary and was classified as a ransomware attack. It affected a number of the executive network servers and had no impact on operations at atomic power plants Angra 1 and Angra 2.
Operations at the 2 plants are disconnected from the executive network, for obvious security reasons, therefore the electricity supply to the National Interconnected System remained unaffected, the corporate says during a handout on Wednesday.
Upon detecting the attack, Eletronuclear suspended a number of its systems to guard the integrity of the network. alongside the managed security services team, the corporate isolated the malware and restricted the consequences of the attack.
The notification is scarce with details and doesn’t clarify if the attack also doubles as a knowledge breach, because it is common for ransomware operators to steal data from the victim network before deploying the encryption routine.
Copel leaks ahead
In the case of Copel, the attack is the work of the Darkside ransomware gang, who claims to possess stolen quite 1,000GB of knowledge which the cache includes sensitive infrastructure access information and private details of top management and customers.
According to the hackers, they gained access to the company’s CyberArk solution for privileged access management and exfiltrated plaintext passwords across Copel’s local and internet infrastructure.
Apart from this, Darkside says that they need quite 1,000GB of sensitive data belonging to Copel, which contains network maps, backup schemes and schedules, domain zones for Copel’s main site, and therefore the intranet domain.
They also claim to possess exfiltrated the database that stores Active Directory (AD) data – NTDS.dit file, which incorporates information about user objects, groups, group membership, and password hashes for all users within the domain.
Although the AD database doesn’t have plain text passwords, there are tools that would crack the hashes offline or use them within the so-called pass-the-hash attacks, where they function because the password itself.
Unlike other ransomware operators, Darkside doesn’t provide stolen data on their leak site. Instead, they found a distributed storage system to host it for 6 months.
Access to those caches is vetted by the gang members. This suggests that while Copel’s data isn’t freely available, third parties including hackers can easily catch on .
Main systems intact
Copel is that the largest company within the state of Paraná and also the primary Brazilian company within the electricity sector to be listed at the ny stock market .
The date of the intrusion remains undisclosed but Copel announced the incident during a filing with the Securities and Exchange Commission (SEC) on Monday, February 1st.
The company detected the attack and acted immediately to prevent it from spreading across the network. An investigation was begun to determine the complete impact of the attack.
What is certain is that most systems remained unaffected and therefore the electricity supply alongside telecommunications services continued to function normally.
“The operation and protection systems detected the attacks and, immediately, the corporation followed the safety protocols, including suspending the operation of its computerized environment to guard the integrity of the knowledge . the complete assessment of what happened is ongoing and therefore the Company is taking the required steps to revive normality” – Copel
It is unclear what percentage segments of the Copel network were impacted by the attack or if the hackers were ready to deploy the encryption routine. Reached bent Copel with an invitation for comments and that we will update the article when a politician statement becomes available.