“ELEXON” Announced Security Incident but Crucial Services Remain Up

Written by Bill Toulas
Last updated June 14, 2024

ELEXON has announced a cyberattack on its internal IT systems, and they are currently in the process of resolving the issue. The electricity energy balancing company that is so crucial for the British market is now unable to receive or send emails. Still, the company's balancing (BSC) and EMR services remain up and running. If you absolutely need to contact them, you may do so by reaching out to an externally hosted help desk at 0370 010 6950 or via email to [email protected].

The company said on Twitter that the root cause of the IT trouble was identified, but they have not provided any clarifications on what happened. Judging by the effects, we could assume that only their email server was targeted, possibly from a catastrophic ransomware attack. Another potential cause of the loss of communications would be employees losing access to the VPN server through which they can access the firm’s internal network. This is precisely where things start to get interesting, even without ELEXON having provided actual details.

Recent scans conducted by “Bad Packets” indicated that ELEXON was using an outdated version of the Pulse Secure VPN server. The vulnerabilities that could be exploited to gain access to this server are known since last summer, thanks to the work of “Devcore” researchers. However, ELEXON was registering as vulnerable on the scans until at least March 2020. Only yesterday, we wrote about the top 10 most exploited vulnerabilities that organizations should patch immediately, and the “CVE-2019-11510” concerning the Pulse Connect Secure product was on the top for 2020. We can’t tell for sure if ELEXON was still running an outdated Pulse Secure VPN installation since the last scan coming from Bad Packers occurred over a month ago, but the pieces fit.

On a positive note, the UK may continue to enjoy electric power balancing services from ELEXON without any problems, so network segmentation has saved the day this time. However, private entities that play a critical role in the public infrastructure and control the well-being of whole nations should be complied to provide more information about what happened when security incidents occur. Finally, using outdated VPN products nine months after the discovery of the flaws and after numerous warnings coming from all directions isn’t creating a very good image for the company, no matter how you see it.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: