Officials say HSE cyberattack situation under control

Ljubljana, 26 November - As cyber security experts continued their work on Sunday to resolve the situation following a cyber attack on HSE, Slovenia's largest power utility, officials said the situation was under control, assessing there appeared to be no major damage, but could not pinpoint the source of the incident yet.

The Šoštanj thermal plant (TEŠ).
Photo: Bor Slana/STA

In a statement for some of the media outlets, HSE general manager Tomaž Štokelj said he was pleased with the work done by the in-house services and several external experts in resolving the situation.

"Based on what we've seen we can be optimistic that there will be no major consequences both in terms of system security and the impact on the company's business performance," he said.

He added though that it was too early to draw definitive conclusions. However, the operational system, which serves as a control system for the operation of the power plants, is functional to a large extent, he said.

Connections with the national grid operator ELES are also being established so that all services will be able to resume. "We're planning to establish that relatively soon," he said in the afternoon. Key business system functions are also being resorted.

"We expect the company's core business to be able to operate normally tomorrow and we do not expect any major damage to business from the incident," Štokelj added. He expects key systems to be up and running in the next few days.

Uroš Svete, director of the Government Information Security Office, said the country's cyber defence stakeholders coordinated today to prevent potential spread of the incident to other systems in the country.

"I believe that the process itself, both the detection of the incident itself and the reporting and engagement of all actors, at expert, technical, company and the level of state authorities, has been appropriate and in line with the national cyber incident response plan. So, in reality, at the moment, the situation in this case is under control," Svete said.

Based on the data so far it is not possible to say yet what was the source of the incident. The Government Information Security Office has also not received any information about any demand for ransom, according to Svete.

However, he said the fact that access to data has been limited indicates it could ultimately lead to blackmail of the company itself.

"It's important to remember that such communication is not launched immediately by the attackers. It also depends very much on when and how the victim perceives such attacks," he added.

Svete confirmed yesterday that the attack involved a crypto virus, a type of ransomware that locks files. The cyberattack started on Wednesday night and escalated on Friday night before HSE informed the public about it on Saturday.

Today, he noted that while it may seem that the attacks happened a day or two ago, in reality they are looking for causes much further back in time.

The information gathered so far, including from HSE, suggests the attack was carried out from the outside, as there is no indication of a possible attack from the inside. "From this point of view, it's a pretty classic cyber incident," Svete said.

"HSE group power plants operate smoothly, Slovenia's electricity supply remains safe and reliable," the company and the Government Information Security Office repeated on Sunday in a joint press release.

HSE operates the Šoštanj thermal plant, which accounts for around a third of domestic electricity production, as well as chains of hydro plants on the Drava, the Sava and the Soča. The group accounts for roughly 60% of domestic electricity production.

© STA, 2023