Two state-owned utility companies in Brazil suffered separate ransomware attacks in the past week, forcing them to shut down some operations and services temporarily, In one case, sensitive data was stolen and dumped online, including network access logins and engineering plans.
Centrais Eletricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel) both reported attacks, the latter of which appears to be the work of Darkside, which flogged data stolen from the attack online, according to a published report.
Darkside is a technically innovative ransomware group that’s tried to brand itself as an altruistic, digital Robin Hood by making charitable donations with the Bitcoin it’s stolen from victims.
In this case, the group said it stole more than 1,000 gigabytes of Copel data in the attack, including sensitive information allowing for access to key infrastructure, personally identifiable information (PII) of top management and customers, and detailed engineering plans of the company’s network, according to the report, which included a snapshot of an ad for the data from a hacker forum.
Both utilities are state-owned and have a significant presence in the country. Eletrobras is the largest utility in Latin America and owner of Eletronuclear, which constructs and operates nuclear power plants. Copel is the largest utility provider in the Brazilian state of Parana.
Eletrobras Cyberattack Impacts Nuclear Plant Subsidiary
It’s not clear at this time who is behind the Eletrobras attack, which the company acknowledged in a press release posted earlier this week. The attack hit the administrative network of its Eletronuclear subsidiary, which runs two nuclear power plants—Angra1 and Angra 2.
In the case of the attack on Eletronuclear, the company had to suspend some of its systems to protect the integrity of data, the company said.
However, the administrative network is not connected to the operational technology (OT) systems that run the nuclear power plants, which are isolated from that network for security reasons, according to the release. Because of this, there was no impact on safety or the operation of the Almirante Álvaro Alberto Nuclear Power Station (CNAAA), nor damage to the supply of electricity to the National Interconnected System, according to Electrobras.
The company did not provide details on whether any data was stolen in the attack, and if there is any indication of who the culprit may be. Eletrobras has reported the attack to the appropriate authorities and is continuing to investigate, it said.
Reams of Data Stolen from Copel Utility
The Copel attack was not publicly disclosed but mentioned in an SEC filing on Monday, according to Bleeping Computer, which appears to have had contact with Darkside about its hand in the attack.
Hackers said they gained access to the company’s CyberArk cloud security solution for privileged access management and exfiltrated plaintext passwords across Copel’s local and internet infrastructure, according to the report.
Specifically, attackers said the 1,000 GB cache of data they pilfered includes: Data from CyberArk storage with clear-text passwords from all local and internet infrastructure; network maps and diagrams; backup schemes and schedules; domain zones for cope.com and copel.nt domains; a database that stores ActiveDirectory data; phone numbers, emails and ID and other personal data of employers and customers, including top management; and NDAs, finances and contract info; and detailed engineering schemes, plans and network switches.
Ransomware Remains a Top Cyberthreat
Ransomware continues to be one of the top threats plaguing organizations, spurred by gangs’ success in extorting large sums of money from victims. 2020 went down as a banner year for this type of cybercrime, which hit less lucrative organizations such as hospitals particularly hard due to the COVID-19 pandemic.
Ransomware gangs don’t appear to be letting up in 2021 either, with new variants of ransomware already detected — such as Babuk Locker, which is targeting corporations.
That said, there has been some promising news for potential ransomware victims this year thanks to global efforts to take down the criminal gangs behind major malware distribution schemes. Last week, an international law-enforcement consortium disrupted one of the most prolific malware strains, Emotet, by dismantling servers and infections. The malware is often used as a gateway infection to distributing ransomware.
And in an unrelated effort, authorities in Canada charged a suspect believed to be responsible for NetWalker ransomware attacks, and seized $454,500 in cryptocurrency from ransom payments made by three separate victims.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!