DESFA, one of Greece’s major natural gas operators, has suffered a breach at the hand of a ransomware gang.
DESFA is a natural gas transmission system operator established in 2007 as a subsidiary of DEPA, the natural gas supplier of Greece. In addition to the transmission system, DESFA operates Greece’s gas distribution networks, and the Revithoussa LNG Terminal, which regasifies the liquefied natural gas shipped in by tankers.
Over the weekend, the company issued a statement saying, “DESFA suffered a cyberattack on part of its IT infrastructure by cybercriminals that have tried to gain illegal access to electronic data, with a confirmed impact on the availability of some systems and possible leakage of a number of directories and files.”
Gas supply remains unaffected in all entry and exit points of the country, according to the press release.
DESFA has enlisted the help of IT experts to investigate the cause of the attack and to restore affected systems as soon as possible.
“To protect our customers and partners we proactively deactivated most of our IT services and we are now gradually recovering our IT systems back to normal operation,” reads the statement.
As required by data protection laws, the natural gas operator has informed all relevant authorities and organizations to resolve the issue and minimize any impact.
The statement ends with the company adding that “DESFA remains firm in its position not to negotiate with cybercriminals,” which points to a ransomware operation.
Indeed, the Ragnar Locker ransomware crew has reportedly taken responsibility for the attack. According to a screenshot published by Bleeping Computer, the threat actors say DESFA’s security has “serious vulnerabilities” and that they’ve informed DESFA of these shortcomings, with no response yet from the natural gas supplier.
The hackers are threatening to publish files stolen in the attack if DESFA doesn’t cooperate – i.e. pay ransom. It’s unclear what type of data was exfiltrated by Ragnar Locker in the attack. The extortion demands are also unclear at this point.
First discovered in April 2020, Ragnar Locker threat actors use the well known ‘double extortion’ tactic where the attackers first copy the victim’s sensitive data (for later extortion), then encrypt data on the victim’s end to freeze their operations.
Ragnar Locker threat actors sometimes use a specially designed virtual machine image during the payload execution stage in order to thwart anti-malware solutions.