When the organization that oversees Europe’s electricity market announced on Monday that hackers had infiltrated its IT network, it didn’t provide many details.
The European Network of Transmission System Operators for Electricity (ENTSO-E) said a data breach had been confined to its office network, and that no critical power systems were affected. It didn’t mention how or why the intrusion began.
But a public analysis of a cybersecurity incident, which multiple people familiar with the matter said matches the details of the ENTSO-E breach, indicates that the attackers were communicating with the victim organization’s email server for more than a month.
There was repeated, high-volume communication between the server and the hackers’ malware, according to the analysis, which was published in January by threat intelligence firm Recorded Future. The report did not name ENTSO-E as the victim, but a source close to senior cybersecurity officials at multiple European electric utilities said the two incidents were the same.
ENTSO-E’s 42 members represent some of the largest utilities in Europe, coordinating to deliver a steady supply of electricity for European Union citizens. Data housed on ENTSO-E’s office network could be valuable to hackers looking to target individual utilities, although so far, there isn’t evidence of that happening.
“[T]he targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe,” the Recorded Future blog post says.
That report concludes that the unidentified hackers used an open-source remote access trojan known as Pupy RAT to communicate with the server from late November to at least Jan. 5.
It is unclear who is responsible for the breach. Pupy RAT has been used by multiple state-sponsored hacking groups. It is publicly available, meaning the malware alone isn’t enough to conclude who was responsible.
An ENTSO-E spokesperson did not respond to multiple requests for comment on the Recorded Future analysis. On Monday, the spokesperson said the organization would not be commenting beyond its four-sentence statement.
Recorded Future declined to comment beyond the blog post.
“Recorded Future does not disclose victims without coordination and will not share additional details regarding this incident at this time,” company spokeswoman Rachel Adam said.
Many of the European utilities have issued statements emphasizing that the breach did not affect their operations, adding that they are continuing to investigate.