Internal data stolen, posted on Dark Web
Cyber criminals using the REvil/Sodinokibi ransomware stole internal data during a May 11 attack on Elexon — the organisation that helps balance and settle the UK’s electricity market — and have now posted it online in a bid to pressure the organisation into paying a ransom.
The documents include a cyber insurance policy and passports.
Elexon said at the time that its “central systems” were unaffected and that it had identified the “root cause”. (Its 100+ London staff have been left unable to use official email accounts after the incident, with IT work still ongoing to restore the affected systems, Elexon acknowledges.)
Elexon Hack: REvil/Sodinkobi Ransomware Blamed
Certain sensitive internal data was stolen during the attack, we can reveal however, with material posted online this week to a .onion site by the culprits including the passport of Victoria Moxham, Elexon’s director of customer operations, along with the contents of an internal database.
Worryingly, this includes internal staff communications about the ransomware event, suggesting the attackers remained inside the network for some time. (It is unclear how long this is/was the case for: ie. if their presence continued on the network beyond Elexon’s post-incident response).
Elexon adds: “The security of the BSC Central Systems is integral to the design and operation and at this time security has been further enhanced.”
It was not immediately clear how much internal data was stolen.
What is Elexon?
Elexon runs the UK’s balancing and settlement code (BSC).
It compares “much electricity generators and suppliers say they will produce or consume with actual volumes. We then work out a price for the difference and transfer funds. This involves taking 1.25 million meter readings every day and handling £1.5 billion of our customers’ funds each year.”
The organisation appears to have been running an unpatched version of a VPN (Pulse Secure) with a known critical security flaw.
Brett Callow, CEO of security firm Emsisoft, which revealed the leak, told Computer Business Review: ““Companies often state they were the victim of ‘a sophisticated cyberattack,’ but those attacks often succeeded only because of basic security failings such as the use of weak passwords, the non-use of MFA or running unpatched internet-facing servers.
“In other words, they’re making life much easier for cybercriminals and putting not only their data at risk, but also information relating to their customers and business partners.”
In an earlier interview with Computer Business Review, Mike Hulett, the National Crime Agency (NCA)’s head of operations for cyber crime, told us: “Three years ago, ransomware was seen as a bit of an annoyance, something which hit SMEs predominantly.
“Now in terms of impact on real life impact on businesses and services, it’s the it’s the predominant problem at the moment and takes the majority of our out of our law enforcement efforts.”
Cyber criminals continue to exploit the failure of organisations to ensure basic cyber hygiene like regular patching, with the Top 10 most exploited vulnerabilities of the past four years including a software bug — CVE-2012-0158 — first reported in April 2012.
A MAy 2020 FBI report lamented that “foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations.”
It added: “The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date.
Business leaders would no doubt help this process by ensuring CIOs are well resourced and IT teams empowered to ensure systems are patched, even if their are short-term operational consequences.