Danish intelligence: Possible tie between Vestas hackers and Colonial Pipeline attack

The cybercriminal group that has held Vestas' internal data hostage over the past two weeks is known by the Danish Defence Intelligence Service. Several reports provide insight on recruitment and targets of "Lockbit 2.0" – also establishing possible connection to last year's major hacker attack on the US' Colonial Pipeline.

Photo: vestas


It was not three guys sitting in a basement with Wi-Fi and Redbull that seized the IT systems of Vestas.

Several reports from the Danish Defence Intelligence Service (FIT) paint a grim and professional picture of cybercrime group Lockbit 2.0, which throughout the last 14 days has been holding the turbine maker's company data hostage.

The hackers are apparently also rather prolific, deems FIT, which notes the group's activities as having "dramatically increased" in the months leading up to September.

The group's members are likely experienced criminals coming from former hacker networks such as Darkside, Avaddon and Revil, according to the Danish Centre for Cyber Security (CFCS). Darkside was behind the attack on the US' Colonial Pipeline, which was forced to keep its oil infrastructure closed for nearly a week and ended up paying a ransom of more then USD 4m.

Extensive disruptions and scarce natural gas along the entire US Eastern Seaboard resulted from the attack.

They operate by attempting double extortion

Dubex CTO Jacob Herbst

Since that incident, Darkside and numerous other hacker groups have made it clear that they will not attack critical infrastructure looking forward. Darkside shut down its platform completely – a move that might have made room for Lockbit, which has since been on the offensive. According to CFSC, the threat against the energy sector is also "very high" despite statements made by hacker groups.

In interviews with several media, Lockbit has claimed that it avoids assaulting organizations within health, educations and charity. In Denmark, CFSC finds that it's only a question of how much money is on the line.

CFCS says Lockbit has in the meantime threatened disruptions such as the Colonial Pipeline incident – and with consequences as far reaching.

Steals and encrypts

Lockbit is thought to originate from Russia, offering so-called ransomware-as-a-service (RaaS). In practice, this means that the group writes and sends out harmful programs known as malware later used by other cyber extortionists.

Reading further into CFCS' reports, it appears that Lockbit has recruited hackers through the forum Russian Anonymous Marketplace, thought to have been founded by former RaaS higher-ups.

Jacob Herbst, chief technical officer at cybersecurity firm Dubex, says a range of problems emerge as soon as IT systems are compromised by criminals.

"They operate by attempting double extortion, where they both steal and threaten to leak, and then they take people's data hostage via encryption. That's roughly how ransomware has worked in the last two years," Herbst tells EnergyWatch.

With two years to go on, it's also possible to say something about what type of data ransomware perpetrators normally target, he explains.

"They normally steal the data that's lying around. In most cases, it involves personal data. That's also something criminals seek because they know that such data is significant for companies on account of GDPR rules," the CTO says.

No guarantees

The Danish wind OEM has just over two weeks to gain insight on its new enemy. According to Vestas' latest update, public authorities and cybersecurity specialists have assisted the manufacturer in identifying compromised data as well as personal data that might have become affected.

As previously reported by EnergyWatch, Vestas has declined to elaborate on which authorities are involved.

According to Vestas Vice President and Head of Communications Anders Riis, the company has "no indication that the event has impacted customer and supply chain operations".

"Investigations are still underway, so it's premature to say anything conclusive about it," Riis said.

When Vestas cannot eliminate such a possibility, saying that the attack has hit "internal systems and data",  this likely means that the "they're investigating any possible risk of the criminals having used access to Vestas to move on to [the OEMs] customers to compromise data and systems there, but that there are thus no indications of this being so," Herbst says.

Before a target starts to reopen its systems, it's necessary to make sure the hackers have been expelled

Dubex CTO Jacob Herbst

Skilled and lucky

The CTO says there's a possibility that the attack could impact the manufacturer's operational technology, thereby leading to supply disruptions. Such would typically be possible if a company's internal and external systems use the same platform and are not properly separated.

"It can't be ruled out, but I'd expect a company like Vestas to have some form of barrier between their internal and customer systems," he says.

Vestas' announcements indicate, though, that the company has handled the situation with skill – and has been lucky, Herbst says.

"That tells me that they've have a fine handle on things and discovered the attack relatively quickly and closed it down," he says and adds:

"But that's why this sort of attack entails some time passing because before a target starts to reopen its systems, it's necessary to make sure the hackers have been expelled. This must be done slowly and methodically to avoid suddenly standing in a mess again."

A comment from CFSC was not possible to obtain before this article's deadline.

International hacker group behind Vestas attack  

Vestas confirms spread of stolen data

Vestas hit by cyber attack 

More from EnergyWatch

Norway awards more than 50 new oil licenses

Norwegian oil giant Equinor has received almost half of the new licenses on the Norwegian continental shelf where there is still significant interest in new oil and gas deposits.

Further reading

Related articles

Latest News

See all jobs