State-owned Queensland utility CS Energy has been enmeshed in a global ‘he-said, she-said’ after ransomware actors rebutted claims by the company’s CEO that state actors were not responsible for its recent compromise by ransomware.

Andrew Bills, CEO of the south-east Queensland energy company, argued in a recent statement that the company’s cybersecurity staff had moved quickly to counter the compromise, adding that there was “currently no indication that the cyber incident was a state-based attack.”

“We continue to progressively restore our systems and are working closely with cyber security experts and relevant state and federal agencies,” he said.

It was the company’s third public statement about a 27 November cybersecurity incident that hit its corporate network, driving mainstream media speculation that the company’s extensive power generation capabilities were threatened and millions of homes “almost impacted” by an attack that was quickly – and incorrectly – attributed to Chinese state actors.

Such attribution has become the de facto policy for many, given Australia’s fractious relationship with Beijing – yet the company’s denials, and the media’s attribution to China, were quickly rebuffed when Russia-linked ransomware group Wizard Spider, which is credited with creating the damaging Conti ransomware, listed CS Energy amongst its victims.

The Australian Cyber Security Centre (ACSC) seemed to corroborate the news, issuing an alert a day later confirming that the organisation “is aware of multiple instances of Australian organisations that have been impacted by Conti ransomware in November and December 2021” across multiple sectors.

“In addition to the encryption of data and subsequent impact to organisations’ ability to operate as usual, victims have had data stolen during incidents published by the ransomware actors, including personally identifiable information (PII).”

Critical industries on edge

Breathless reporting of ransomware attacks is muddying the ability to convey the truth about the real threat to Australia’s critical infrastructure, warned Ralph Langner, CEO of Langner Inc – an operational-technology security company known for analysing the game-changing Stuxnet malware – in a video tearing apart the coverage of the incident.

“You will always learn more about what did not happen than about the facts,” he said, pointing out that despite media clamouring the 3 million homes serviced by CS Energy were not ultimately affected by the breach – and a claimed 3500MW of power was not taken out of the state’s electricity grid.

The company’s narrative – which included the claim the company “quickly took further assertive action to physically separate” the company’s operational network from its compromised corporate systems – actually suggested that CS Energy’s cyber security practices had been insufficient, according to Langner.

“This utility has the nerve to tell the public that just when the shit hit the fan, [its] network guys scrambled and segregated the networks so the operational networks in those two coal-fired plants were unaffected,” he explained.

“Obviously, it should have segregated those networks years ago.”

Whatever the long-term implications of the CS Energy breach, the fact that it happened at all reinforces a point long made by the Australian government, which pushed throughproblematic” critical-infrastructure legislation late in November after deferring many aspects of its legislation amidst concerns about “compelling evidence” presaging “immediate cyber threats” against Australia’s critical industries.

Utilities, mining and other heavy industries are under constant attack by cybercriminals, with Verizon recording 546 incidents against companies in those sectors last year – including 355 incidents where data was confirmed to have been disclosed.

Security experts have warned that cyberattacks on industrial organisations will kill someone within the next few years – and Sophos global solutions engineer Aaron Bugal believes the focus on attribution of the CS Energy attack “acts as an unnecessary distraction from the underlying issues”.

“Cyberattacks have been in the limelight and headlines quite regularly, with people and organisations continuously looking to attribute attacks to specific cybercriminal organisations or nation states,” he said.

“We should avoid playing the blame game and direct efforts towards figuring out how it happened. Business leaders need to shift their focus from who is behind an attack, and move towards prioritising how it happened, and how to ensure it doesn’t happen again.”