The Romanian National Cybersecurity Directorate (DNSC) has confirmed that the Lynx ransomware gang successfully breached Electrica Group, a leading electricity supplier in Romania.
About Electrica Group
Electrica Group, initially part of the National Electricity Company (CONEL) in 1998, became an independent entity in 2000. Since 2014, it has been publicly traded on the London and Bucharest stock exchanges. With a customer base exceeding 3.8 million across Muntenia and Transylvania, Electrica provides electricity, maintenance, and other energy services.
On Monday, Electrica informed investors of an ongoing ransomware attack under investigation by national cybersecurity authorities. Romania's Energy Minister, Sebastian Burduja, assured the public that SCADA and critical systems remained unaffected as a precautionary measure.
Details of the Breach
DNSC identified the Lynx ransomware gang as the attackers and released a YARA detection script for organizations to identify potential compromises. In a statement, DNSC emphasised: "Based on available data, critical power supply systems have not been affected and are operational. The investigation is currently ongoing. In the event of a ransomware infection, the Directorate strongly recommends that no one pay the ransom requested by the attackers."
DNSC urged entities in the energy sector to proactively scan their IT infrastructure for malware using the provided YARA script, even if not directly impacted: "DNSC recommends that all entities, especially those in the field of energy... scan their own IT&C infrastructure for malicious binary (encryptor) using the YARA scan script."
Background on Lynx Ransomware
The Lynx ransomware operation has been active since July 2024, with over 78 victims listed on its data leak site. Its targets include U.S. facilities and more than 20 entities in the energy, oil, and gas industries, attacked between July and November 2024.
Investigations indicate that Lynx operators use an encryptor tied to the INC Ransom malware source code, reportedly sold on underground forums for $300,000. Cybersecurity experts speculate this could be a rebranding tactic to evade legal scrutiny.
Earlier analyses by BleepingComputer found similarities between Lynx ransomware and recent INC encryptors through string analysis. Since its emergence as a ransomware-as-a-service (RaaS) operation in July 2023, INC Ransom has targeted sectors including education, healthcare, government, and industry, affecting organizations like Yamaha Motor Philippines, Scotland’s NHS, and Xerox Business Solutions’ U.S. division.
Lynx’s Response to the Electrica Attack
The Lynx gang has not publicly claimed responsibility for the Electrica breach or listed the company on its data leak site. This could suggest that attackers are either pressuring Electrica for ransom or have yet to establish contact.
Romania’s Broader Cybersecurity Challenges
This attack comes during a turbulent period for Romania, marked by political and cybersecurity challenges:
- Earlier this year, the Constitutional Court annulled presidential election results, citing interference via a Russia-linked TikTok influence campaign.
- Romania's Intelligence Service (SRI) declassified a report revealing over 85,000 cyberattacks on the country's election infrastructure during the election period.
- In February, a ransomware attack disrupted over 100 hospitals nationwide, forcing systems offline and significantly impacting healthcare services.
Implications for the Energy Sector
While SCADA systems were not impacted in the Electrica breach, the incident underscores the increasing vulnerability of critical infrastructure to ransomware attacks. Organizations in the energy sector must bolster defenses by:
- Proactively scanning for malware using tools like YARA scripts.
- Implementing comprehensive incident response plans.
- Ensuring robust employee training to mitigate phishing and social engineering risks.
The Electrica breach highlights the need for vigilance and resilience as cybercriminals continue to target essential services.