20 May 2020
Cyber incidents in industrial enterprises during the first half of May: Stadler, Elexon, BlueScope
During the first half of May we saw several cyberattacks on industrial enterprises in various sectors.
On May 7, 2020, Stadler, a Swiss manufacturer of railway rolling stock, reported a cyberattack at their production facilities. On their website the company stated that some computers in their corporate network were infected with malware and data was stolen from the compromised machines. The threat actors behind the attack contacted company personnel, demanded a ransom and threatened to publish the stolen data if payment was not made.
Stadler turned to the appropriate government agencies and hired external IT security experts to assist with incident investigation. Backup copies were used to restore the affected systems and operational processes were not affected by the attack.
The company did not reveal which malware was used in the attack. However, since a ransom was demanded and systems needed to be restored using backups, it is highly likely that Stadler was the victim of a ransomware attack.
On May 14, 2020, ELEXON, a major British electric utility company, reported a malware infection in their IT network. Only the internal IT network suffered as a result of the attack, including the email system and laptops. Key IT services and electricity supply systems were not impacted.
Later on the same day, ELEXON stated that the main cause of the incident had been identified and that the affected systems were being restored.
Like Stadler, it’s possible that ELEXON suffered a ransomware attack.
According to Bad Packet scanner data for March 2020, ELEXON used an outdated version of the Pulse Secure SSL VPN server to provide remote access to the internal corporate network for employees. It was breached using the CVE-2019-11510 vulnerability. Cybercriminals often used this vulnerability for breaching corporate networks and infecting them with ransomware.
On May 15, BlueScope, an Australian steel producer, reported an attack that affected operations at several sites.
The cyber incident was detected by a subsidiary in the US. As well as sites in North America, the attack had a limited effect on subsidiaries in Asia and New Zealand. The hardest hit were manufacturing and sales operations in Australia: some operations were halted, while others, including steel shipments, were performed using manual processes and workarounds. No other details about the attack have been disclosed to date.