European energy company and gas pipeline hacked by AlphV ransomware

The AlphV ransomware group has successfully attacked several businesses owned by the Encevo Group, a large energy company based in Luxembourg.

AlphV uploaded sample files to its deep web platform on Friday evening, claiming to have stolen around 180,000 files totalling more than 150GB in size from Creos, which owns and operates electricity networks and natural gas pipelines in the country.

The data it claims to have stolen includes company contracts, agreements, passports, bills, and emails. The method of attack is double extortion which is typical for the AlphV group and many other contemporary ransomware operations.

One of the files uploaded for public viewing appears to be a recently expired passport. IT Pro has been unable to independently verify the legitimacy of the stolen files but Encevo has confirmed the breach on Creos and Enovos.

IT Pro has also requested further details on the company’s remediation strategy, but it declined to reply.

Encevo Group said the attack occurred between 22-23 July and “a certain amount of data was exfiltrated” but it was doing everything it can to analyse the hacked files.

The companies’ services are not believed to be affected, including all gas pipelines and electricity supplies. Encevo added that there is a breakdown service that is guaranteed to work should any attack-related issues arise, ensuring the continued supply of energy.

In addition to assurances of the attack, the company's phone and email systems remain online, as do its websites.

Creos told IT Pro that all relevant legal and regulatory authorities have been informed of the incident, and that ransomware was involved in the attack. Encevo classified the incident as a data breach rather than confirming it was ransomware.

“For now, the Encevo Group does not yet have all the information necessary to inform personally each potentially affected person,” it said. “This is why we ask our customers not to contact us for the moment.”

The Russia-affiliated ransomware group sometimes referred to as BlackCat, is one of the most prolific ransomware operations currently running.

Experts have alleged that the group has links to the now-disbanded DarkSide which was responsible for the attack on Colonial Pipeline a year ago.

“AlphV is a rebrand of BlackMatter which was a rebrand of DarkSide - and DarkSide was used in the attack on Colonial Pipeline,” said Brett Callow, threat analyst and Emsisoft.

Callow also said that AlphV is “probably at least as busy as LockBit”, which was recently labelled as the most active ransomware operation running at present.

AlphV also claimed attacks on video game giants Bandai Namco and Roblox in July after the FBI issued an earlier warning over the group's success back in April.

Critical infrastructure and providers of critical services are increasingly targeted by cyber attacks due to the amount of disruption they can cause, and the notoriety a cyber criminal group can gain from causing such harm.

The attack on Colonial Pipeline last year demonstrated the importance of strong cyber security measures at businesses like these and drew so much attention from law enforcement agencies that the hackers were thought to have entered hiding as a result.

Much of the ransom ultimately paid to the hackers after the Colonial Pipeline attack was recovered by US authorities but the incident prompted a federal-level overhaul in cyber security practices to prevent an attack of its scale ever happening again.