Slovenia's largest power provider HSE hit by ransomware attack

Slovenian power company Holding Slovenske Elektrarne (HSE) has suffered a ransomware attack that compromised its systems and encrypted files, yet the company says the incident did not disrupt electric power production.

HSE is Slovenia's largest power generation company, accounting for roughly 60% of domestic production, and it is considered critical infrastructure in the country.

Founded in 2001 by the Government of Slovenia and owned by the state, the firm operates several hydroelectric, thermal, and solar power plants as well as coal mines across the country, while it also owns subsidiaries in Italy, Serbia, and Hungary.

As first reported by local news outlet 24ur.com on Saturday, HSE suffered a ransomware attack last Wednesday, with the company finally containing it on Friday, November 24.

The Director of the Information Security Office, Uroš Svete, told the media that all power generation operations remained unaffected by the large-scale cyber attack. Still, IT systems and files were "locked" by the "crypto virus."

The organization immediately informed the National Office for Cyber Incidents at Si-CERT and the Ljubljana Police Administration and engaged with external experts to mitigate the attack and prevent the virus from spreading to other systems across Slovenia.

So far, the organization has not received a ransom demand but stated that it might be too early for this, so they remain on high alert as system cleanup is still underway.

Today, Uroš Svete has issued a joint statement with the General Manager of HSE, Tomaž Štokelj, assuring the public that the situation is under control and that no operational disruption or significant economic damage is expected due to this incident.

According to the spokespersons, the impairment is limited to the websites of Šoštanj Thermal Power Plants and the Velenje Coal Mine.

Finger pointed at Rhysida

Unofficial information shared with local media attributes the attack to the Rhysida ransomware gang, which has been active lately, prompting the FBI and CISA to issue a warning highlighting the group's TTPs (Techniques, Tactics, and Procedures).

If Rhysida is behind the attack, it would also explain why HSE is stating they did not receive a ransom demand, as Rhysida ransom notes only contain an email address to contact the threat actors without specifying any monetary demands.

Reportedly, the ransomware operators breached HSE by stealing passwords for HSE's systems from an unprotected cloud storage instance.

BleepingComputer could not verify this information and has contacted HSE for a statement on the allegations, and we are still waiting for a response.

Rhysida first launched in May 2023, quickly targeting organizations in high-profile attacks, including ones on the Chilean Army, Prospect Medical, and the British Library.

The threat actors' attacks on healthcare prompted the U.S. Department of Health and Human Services (HHS) to issue an advisory warning about the ransomware gang.

More recently, Rhysida listed a Chinese state-owned electric power conglomerate on its data leak site, auctioning allegedly stolen data for 50 BTC ($1,840,000).