Documents obtained during a cyberattack on Elexon last month have reportedly been leaked on the dark web.
Using ransomware program REvil, also known as Sodinokibi, attackers managed to access the company’s internal IT systems on 14 May. Now “highly sensitive and confidential files and data” have been published, according to threat intelligence company Cyble.
The files include images of users' passports, enterprise renewal application forms and analysis data, among other items. These have been verified by Cyble’s research team, after they were posted last week.
It is thought that Elexon has refused to pay the attackers, leading to the release of the data on the dark web.
"Typically, when a victim refuses to pay within 3 -10 days, the group commence leaking their data (in different parts)," explained Beenu Arora, CEO and founder of Cyble. "Cyble became aware of the leak on June 1, and there have been no subsequent leaks."
REvil ransomware attacks a system and allows the perpetrator to obtain, block and encrypt files, so that after infection they release ransom request messages.
While the company has yet to confirm details of the attack, it has been reported that Elexon had been running an outdated version of Pulse Secure, which left it vulnerable to attack.
Arora added: "Revil ransomware operators have been known to exploit pulse secure vulnerability. However, we are unable to confirm if Pulse Secure vulnerability (CVE-2019-11510) was the root cause of it – the circumstances and the group tactics do make this one of the stronger probable causes."
At the time of the cyber breach, Elexon stated that it had identified the root cause of the attack and was taking steps to restore its internal IT systems.
The company also highlighted that it does not handle the physical flow of electricity and therefore there was no threat to supply from the cyberattack. National Grid confirmed that it was aware of the attack but had not been affected by it.
Elexon’s role in the UK energy market is to calculate the amount of power produced by power stations and sold to suppliers, ensuring that it either matches what they are contracted to sell or that the differences are correctly charged. Additionally, it calculates, collects and distributes payments to Contract for Difference generators and Capacity Market providers.
Cyberattacks are not unheard of in the energy industry. In April, European energy giant Energias de Portugal (EDP) was hit by a ransomware attack, with attackers using Ragnar Locker ransomware to steal over 10TB of sensitive company files.
In March, the European Network of Transmission System Operators for Electricity reported that it had found evidence of a successful cyber intrusion into its office network. The association, which represents 42 electricity transmission system operators from 35 countries across Europe, did not provide further details regarding the nature of the attack.