- ELEXON employees are unable to access their communications and email server, following a cyber-attack.
- The firm hasn’t clarified what happened, but many believe this is the result of a ransomware attack.
- The electric load balancing firm was very likely using an outdated and vulnerable Pulse Secure VPN installation.
ELEXON has announced a cyberattack on its internal IT systems, and they are currently in the process of resolving the issue. The electricity energy balancing company that is so crucial for the British market is now unable to receive or send emails. Still, the company’s balancing (BSC) and EMR services remain up and running. If you absolutely need to contact them, you may do so by reaching out to an externally hosted help desk at 0370 010 6950 or via email to email@example.com.
Our internal IT systems have been impacted by a cyber-attack. BSC Central Systems and EMR are currently unaffected. Please note that we are currently unable to send or receive any emails. See more information here: https://t.co/yMgj5PF8PT. Apologies for any inconvenience.
— ELEXON UK (@ELEXONUK) May 14, 2020
We’re aware of a cyber attack on ELEXON’s internal IT systems. We’re investigating any potential impact on our own IT networks. Electricity supply is not affected. We have robust cybersecurity measures across our IT and operational infrastructure to protect against cyber threats. https://t.co/7R2NeIB57l
— National Grid ESO (@ng_eso) May 14, 2020
The company said on Twitter that the root cause of the IT trouble was identified, but they have not provided any clarifications on what happened. Judging by the effects, we could assume that only their email server was targeted, possibly from a catastrophic ransomware attack. Another potential cause of the loss of communications would be employees losing access to the VPN server through which they can access the firm’s internal network. This is precisely where things start to get interesting, even without ELEXON having provided actual details.
The list of vulnerable Pulse Secure VPN servers is freely available for authorized government CERT, CSIRT, and ISAC teams to review.
To obtain a report of vulnerable hosts, please fill out this form: https://t.co/vlS08kyQo2
— Bad Packets Report (@bad_packets) January 8, 2020
Recent scans conducted by “Bad Packets” indicated that ELEXON was using an outdated version of the Pulse Secure VPN server. The vulnerabilities that could be exploited to gain access to this server are known since last summer, thanks to the work of “Devcore” researchers. However, ELEXON was registering as vulnerable on the scans until at least March 2020. Only yesterday, we wrote about the top 10 most exploited vulnerabilities that organizations should patch immediately, and the “CVE-2019-11510” concerning the Pulse Connect Secure product was on the top for 2020. We can’t tell for sure if ELEXON was still running an outdated Pulse Secure VPN installation since the last scan coming from Bad Packers occurred over a month ago, but the pieces fit.
On a positive note, the UK may continue to enjoy electric power balancing services from ELEXON without any problems, so network segmentation has saved the day this time. However, private entities that play a critical role in the public infrastructure and control the well-being of whole nations should be complied to provide more information about what happened when security incidents occur. Finally, using outdated VPN products nine months after the discovery of the flaws and after numerous warnings coming from all directions isn’t creating a very good image for the company, no matter how you see it.