The incident occurred at its Eletronuclear subsidiary and was classified as a ransomware attack. It affected some of the administrative network servers and had no impact on operations at nuclear power plants Angra 1 and Angra 2.
Operations at the two plants are disconnected from the administrative network, for obvious security reasons, so the electricity supply to the National Interconnected System remained unaffected,
Upon detecting the attack, Eletronuclear suspended some of its systems to protect the integrity of the network. Together with the managed security services team, the company isolated the malware and restricted the effects of the attack.
The notification is scarce with details and does not clarify if the attack also doubles as a data breach, as it is common for ransomware operators to steal data from the victim network before deploying the encryption routine.
Copel leaks ahead
The attack is the work of the Darkside ransomware gang, who claims to have stolen more than 1,000GB of data and that the cache includes sensitive infrastructure access information and personal details of top management and customers.
Hackers gained access to the company’s CyberArk solution for privileged access management and exfiltrated plaintext passwords across Copel’s local and internet infrastructure.
Darkside says that they have more than 1,000GB of sensitive data belonging to Copel, which contains network maps, backup schemes and schedules, domain zones for Copel’s main site, and the intranet domain.
They also claim to have exfiltrated the database that stores Active Directory (AD) data – NTDS.dit file, which includes information about user objects, groups, group membership, and password hashes for all users in the domain.
Although the AD database does not have plain text passwords, there are tools that could crack the hashes offline or use them in the so-called pass-the-hash attacks, where they function as the password itself.
Darkside does not provide stolen data on their leak site. Instead, they set up a distributed storage system to host it for six months.Access to these caches is vetted by the gang members. This means that while Copel’s data is not freely available, third parties including hackers can easily get it.