The Irish electricity transmission system operator EirGrid was targeted by a state-sponsored attack. EirGrid is the state-owned company that operates the electricity transmission grid across the Ireland, it also supplies the distribution network operated by ESB Networks that powers every electricity customer in the country.
According to the Independent.ie, a nation-state actor, using IP addresses sourced in Ghana and Bulgaria targeted the company. The hackers first gained access to a Vodafone network used by EirGrid in the UK in April, then they compromised the routers used by Irish operator in Wales and Northern Ireland.
The hackers were able to install “a virtual wire tap”, also known as Generic Routing Encapsulation (GRE) tunnel into Eirgrid’s Vodafone router located in Shotton. The GRE allowed them to access the unencrypted traffic sent to and from the companies.
According to the Independent.ie the hackers weren’t discovered at least for two months and the worst aspect of the story is that sources informed of the hack confirmed that it is still not known if any malware still present onto EirGrid’s control systems.
An attacker could be interested in hacking systems at the company to trigger a massive power outage across the country.
“Independent.ie has learned that the hack came to light after a tip-off from Vodafone and the National Cyber Security centre in the UK to EirGrid.” reported the Independent.ie.
“Vodafone discovered that there had been a breach on their Direct Internet Access (DIA) service which is internet provider to Eirgrid’s interconnector site in Shotton, Wales. The original breach took place on April 20 and lasted just short of seven hours.”
A source said that both Vodafone and the National Cyber Security Centre believe the attack was powered by a nation-state actor, while police services in Ireland and the UK do not believe that it was powered by foreign hackers.
Independent.ie discovered that all communications leaving the Eirgrid site and passing through the DIA router were “monitored and maybe interrogated” by a third party with direct access to the device.
At the time of this post, Vodafone is still investigating the volume of traffic transferred over the GRE tunnel.
“However it was able to tell the state supplier that all the compromised router devices had their firmware and files copied by the attackers.” state the Independent.
“A source said this allows the hackers to inspect the network configuration of Vodafone and “possibly launch a further more devious attack through some unknown vulnerabilities”.”
A further internal investigation revealed that the offices of the System Operator for Northern Ireland (SONI), that is wholly owned by EirGrid, were also exposed due to the cyber attack.
“At EirGrid Group, the security of our computer network and of the electricity control system is an utmost priority.” said David Martin, a spokesperson for EirGrid Group.
“We take all necessary steps to ensure that our systems are secure and protected and we remain vigilant to potential cyber threats, by continuously monitoring the external environment and by engaging with the relevant authorities.”
“It is EirGrid Group’s policy not to comment publicly on specific operational matters related to cyber security, however, we are aware of the currently reported focus on energy companies and national infrastructure and wish to state that our computer systems have not been breached.”
“Vodafone does not comment on specific security incidents. In such cases we always work closely with the relevant authorities to investigate and take immediate actions to contain the issue and protect our customers.” said a Vodafone spokesman.
(Security Affairs – Eirgrid, state-sponsored hacking)