Vestas Says Ransomware Attack Failed in Extortion but Leaked Data
More than two weeks after first saying that it had discovered a cyber security incident that involved external attackers illegally retrieving data from its systems, Danish wind turbine company Vestas is reporting that it has largely restored its systems. It is now preparing to notify affected parties within the next few days to the extent of the information that was exposed. Vestas says it has reasons to believe that the leaked data is mostly related to internal company matters.
Vestas reported on November 19 it detected the cyber security incident that it now admits was a ransomware attack. At the time, they said that IT systems were shut down across multiple business units and locations while they were working with internal and external teams and appropriate authorities to contain the attack and recover systems.
The incident the company says did not impact wind turbine operations. By the end of November, almost all its IT systems were running again.
“Vestas discovered an attack from a threat actor, which we are pleased to say failed in their attempt to extort Vestas,” said Henrik Andersen, President and Chief Executive Officer. “Unfortunately, the attackers did manage to steal data from Vestas, and that data has been illegally shared externally. To mitigate this situation, we are working hard to identify any leaked data and will collaborate with affected stakeholders and authorities.”
After retrieving the data from the IT systems, Vestas reports that the attackers have since threatened to publish the stolen data. “The investigations are still ongoing,” the company said in its December 6 update confirming, “the stolen data has been leaked by the attackers and potentially offered to third parties.”
The IT teams have been working around the clock conducting extensive investigations, forensics, restoration activities, and hardening of the IT systems and IT infrastructure. The investigation is exploring what personal data was affected and the company believes it will be in a position to begin shortly initiating communications to affected parties.