Skip to content

Search the site

UPDATED: Vestas hack latest: world's biggest wind turbine maker on its ransomware attack

Company says will share IOCs when investigation has made more headway

Vestas hack latest: Story first posted Monday November 22, updated November 29, 15:20

The world's biggest wind turbine manufacturer Vestas confirmed on Monday November 29 that an attack on its IT systems first identified on Friday evening (a typical time for an attack) on November 19 was indeed a ransomware attack, but that it has made almost a full recovery, exactly one week after first acknowledging that the attack had “impacted parts of Vestas’ internal IT infrastructure and that data has been compromised”.

The Danish company, which as of September 2021 had turbine orders and service agreements pending worth €47.3 billion (£39.6 billion) and which just reported a record quarter (revenues of €5.5 billion), last week noted that "there is no indication that the incident has impacted third party operations, including customer and supply chain operations." It said today that it is still investigating the extent of a data breach.

More positively, “Vestas’ manufacturing, construction and service teams have been able to continue operations, although several operational IT systems have been shut down as a precaution. Vestas has already initiated a gradual and controlled reopening of all IT systems,” it added at the time, in a report otherwise thin on details.

Today (November 29) Vestas in an update said: "Having conducted extensive investigations, forensics, restoration activities and hardening of our IT systems and IT infrastructure, we are pleased to announce that almost all systems are up and running" with Henrik Andersen, President and CEO adding: “We have been through some tough days since we discovered the cyber incident, and Executive Management and the Board of Directors are thus very pleased that the incident didn’t impact wind turbine operations and almost all of our IT systems are running again. There is still a lot of work ahead of us to and we must remain extremely diligent..."

"I would already now like to take this opportunity to thank our customers, employees and external partners for their understanding and extraordinary support in these challenging circumstances.”

The company continued: "Although Vestas is close to normal operations, the work and investigations are still ongoing. In that regard, Vestas maintains there is no indication that the event has impacted customer and supply chain operations, which is supported by the forensics investigation carried out with the assistance of third-party experts. The cyber incident, which our investigations indicate was ransomware, impacted Vestas’ internal systems and resulted in data being compromised. The extent to which data has been compromised is still being investigated, but for now it appears that the data foremost relates to Vestas’ internal matters.

Vestas hack latest: What do we know? Not a great deal yet, by choice...

The limited details it has shared suggest good resilience and network segmentation however.

Security is currently being led at Vestas by interim CISO Luise Bang, who took on the role in February 2021.

(The scale at which companies are being hit is colossal. According to the DCMS Cyber Security Breaches Survey published in March, 39% of all UK businesses (that’s 2.3 million) reported a cyber breach or attack in 2020/21.)

Vestas's Anders Riis, Vice President, Communications, told The Stack in a call: "We're not ready to confirm more details just yet while the investigation is ongoing. Of course we have a huge interest in making sure that what we are facing is not faced by any of our partners or any other company and are working with them [to share information on the incident]. We will certainly be sharing more details publicly, but I would rather under-promise and over-deliver on that front while the investigation is ongoing."

The company will aim to also publicly share IOCs when it can, he added.

When it comes to attacks in the UK, the NCSC noted in its most recent annual report that "while there are numerous entry points into a system, device or network, the NCSC has observed threat actors have been increasingly exploiting vulnerabilities in virtual private networks, unpatched software and using phishing emails.

"The most commonly used attack vectors by ransomware actors targeting the UK include:

  • RDP: Remote desktop protocol attacks are the most commonly exploited remote access tools used by ransomware hackers. Hackers use insecure RDP configurations collected through phishing attacks, data breaches or credential harvesting to gain initial access to the victim’s environment.
  • VPN: Since the shift in remote learning and working since the pandemic began, threat actors have been exploiting vulnerabilities present in Virtual Private Networks to take over the remote access. (There's no shortage of critical CVEs to choose from in some widely used VPNs, if IT teams don't patch regularly.)
  • Unpatched devices: Attackers are targeting unpatched software and hardware devices to gain access to the victim’s network. One example of this is the vulnerabilities in Microsoft Exchange Server that are known to have been used by persistent threat groups.

See also: The top 12 most exploited vulnerabilities of 2020/21

The US's CISA notes: "It is critical to maintain offline, encrypted backups of data and to regularly test your backups.  Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline as many ransomware variants attempt to find and delete any accessible backups."

Organisations should maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt, the agency emphasises in its own useful ransomware guide: "This entails maintaining image templates that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server. Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred.  Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images. In addition to system images, applicable source code or executables should be available (stored with backups, escrowed, license agreement to obtain, etc.). It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases."

Finally, organisations should aim to "create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident."

Follow The Stack on LinkedIn