[BreachExchange] Colorado energy company loses 25 years of data after cyberattack while still rebuilding network

Fri Dec 3 10:08:31 EST 2021

https://www.zdnet.com/article/colorado-energy-company-loses-25-years-of-data-after-cyberattack-still-rebuilding-network/

Colorado's Delta-Montrose Electric Association (DMEA) is still struggling
to recover from a devastating cyberattack last month that took down 90% of
its internal systems and caused 25 years of historical data to be lost.

In an update sent to customers this week, the company said it expects to be
able to begin accepting payments through its SmartHub platform and other
payment kiosks during the week of December 6.

"We also tentatively estimate we will be able to resume member billing the
week of December 6 - 10. We recognize this will result in members receiving
multiple energy bills close together. As a reminder, we will not disconnect
services for non-payment or assess any penalties through January 31, 2022,"
the company said on a page that has been updated repeatedly over the last
month.

The company said it began noticing issues on November 7, and the
cyberattack eventually brought down most of its internal network services.
The attack affected all of the company's support systems, payment
processing tools, billing platforms and other tools provided to customers.

DMEA said the hackers were targeting specific parts of the company's
internal network and corrupted saved documents, spreadsheets, and forms,
indicating it may have been a ransomware incident.

The attack even affected the company's phone and email systems, but DMEA
said the power grid and fiber network were not touched during the attack.

The energy company hired cybersecurity experts to investigate the incident,
but they are still having issues recovering nearly a month later.

"We are currently operating with limited functionality and are focused on
completing our investigation and restoring services as efficiently,
economically, and safely as possible. We are committed to restoring our
network and getting back to normal operations, but that will take time and
requires a phased approach," the company explained.

They created temporary payment arrangements to deal with the outages and
have suspended all penalty fees and disconnections for non-payment through
January 31, 2022.

Despite the damage to their system, DMEA claimed no sensitive data from
customers or employees was breached. But they now have to work through a
"phased restoration approach" as they rebuild their systems.

DMEA CEO Alyssa Clemsen Roberts said the impact on their systems was
"extensive" and that a good portion of their saved data, such as forms and
documents, was corrupted.

"The path to full restoration will take time, and it may result in many of
our members receiving back-to-back energy bills. With colder weather
approaching and the holiday season already here, we recognize this incident
has come at an unfortunate time," Roberts said.

"This isn't how we hoped to close out the year, and on behalf of all of us
at DMEA, I am grateful for your patience, support, and understanding as we
navigate this incident."

Saryu Nayyar, CEO at cybersecurity firm Gurucul, said utilities tend to
have complex networks that often comingle enterprise operations with
mission control.

"It's a bit of a surprise that we haven't seen more attacks on public
utilities, but there is no question that more are coming," Nayyar
explained.

The headline-grabbing ransomware attack on Colonial Pipeline earlier this
year involved similar issues. Attackers brought down the company's business
technology networks, forcing the energy-producing side to struggle as well.

SecurityGate CISO Bill Lawrence added that while the term 'ransomware' is
not in any of the reporting or DMEA's explanation of events, they had a
large portion of their data corrupted, and their internal phone system went
down too.

"It will be interesting to learn a motive behind this attack if there are
no ransom demands," Lawrence said. "Co-ops are owned by their local
communities, so the local folks will be dealing with increased costs due to
response and recovery from the attack."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211203/840a28c5/attachment.html>