Updated November 25: Vestas declined to provide a further update at this stage, saying that it will “disclose information in a manner that provides transparency, but doesn’t compromise our ability to deal with the full scope of the cyber incident.”
The world’s biggest wind turbine manufacturer Vestas said Monday that an attack on its IT systems first identified on Friday evening, (like the weekend, a favourite time for cybercriminals to attack) has “impacted parts of Vestas’ internal IT infrastructure and that data has been compromised”.
The Danish company, which as of September 2021 had turbine orders and service agreements pending worth €47.3 billion (£39.6 billion) and which just reported a record quarter (revenues of €5.5 billion), said: “There is no indication that the incident has impacted third party operations, including customer and supply chain operations.
More positively, “Vestas’ manufacturing, construction and service teams have been able to continue operations, although several operational IT systems have been shut down as a precaution. Vestas has already initiated a gradual and controlled reopening of all IT systems,” it added, in a report otherwise thin on details.
Vestas hack latest: What do we know? Not a great deal yet, by choice…
The limited details it has shared suggest good resilience and network segmentation however.
Security is currently being led at Vestas by interim CISO Luise Bang, who took on the role in February 2021.
(The scale at which companies are being hit is colossal. According to the DCMS Cyber Security Breaches Survey published in March, 39% of all UK businesses (that’s 2.3 million) reported a cyber breach or attack in 2020/21.)
Vestas’s Anders Riis, Vice President, Communications, told The Stack in a call: “We’re not ready to confirm more details just yet while the investigation is ongoing. Of course we have a huge interest in making sure that what we are facing is not faced by any of our partners or any other company and are working with them [to share information on the incident]. We will certainly be sharing more details publicly, but I would rather under-promise and over-deliver on that front while the investigation is ongoing.”
The company will aim to also publicly share IOCs when it can, he added.
When it comes to attacks in the UK, the NCSC noted in its most recent annual report that “while there are numerous entry points into a system, device or network, the NCSC has observed threat actors have been increasingly exploiting vulnerabilities in virtual private networks, unpatched software and using phishing emails.
“The most commonly used attack vectors by ransomware actors targeting the UK include:
- RDP: Remote desktop protocol attacks are the most commonly exploited remote access tools used by ransomware hackers. Hackers use insecure RDP configurations collected through phishing attacks, data breaches or credential harvesting to gain initial access to the victim’s environment.
- VPN: Since the shift in remote learning and working since the pandemic began, threat actors have been exploiting vulnerabilities present in Virtual Private Networks to take over the remote access. (There’s no shortage of critical CVEs to choose from in some widely used VPNs, if IT teams don’t patch regularly.)
- Unpatched devices: Attackers are targeting unpatched software and hardware devices to gain access to the victim’s network. One example of this is the vulnerabilities in Microsoft Exchange Server that are known to have been used by persistent threat groups.
The US’s CISA notes: “It is critical to maintain offline, encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline as many ransomware variants attempt to find and delete any accessible backups.”
Organisations should maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt, the agency emphasises in its own useful ransomware guide: “This entails maintaining image templates that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server. Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred. Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images. In addition to system images, applicable source code or executables should be available (stored with backups, escrowed, license agreement to obtain, etc.). It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases.”
Finally, organisations should aim to “create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident.”