Russia-linked ransomware group claims it was behind an attack on German renewables giant Nordex, forcing the company to shut down its IT systems.

Ransomware group Conti claims it was behind the cyberattack that knocked out Nordex at the end of March. While the claim is not yet verified, the group put Nordex’s name on its leak site.

In an earlier statement, Nordex said the company detected a cyber security incident on 31 March. Following security protocols, its security team shut down ‘various IT systems.’

Nordex claims that turbines continued operating after restrictions and communication with grid operators did not suffer because of the incident. The company also disabled remote access from Nord Group IT infrastructure to protect customer assets.

“Preliminary results of the analysis suggest that the impact of the incident has been limited to internal IT infrastructure. There is no indication that the incident spread to any third-party assets or otherwise beyond Nordex’s internal IT infrastructure,” reads the statement.

Nordex SE is among the largest developers and manufacturers in the world, with over 8,500 employees in its ranks.

The Conti group, believed to be based in the second largest Russian city of Saint Petersburg, said it was announcing its “full support” for Vladimir Putin after Russia invaded Ukraine on 24 February.

“If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy,” the Conti blog post said.

Groups’ insider dissatisfied with Conti’s stance on the war later started leaking sensitive Conti data, including internal chats, TrickBot source code, and even unmasking its members.

The leak revealed that members of the ransomware group may have acted in Russia’s interest. Read in this light, the attack on Nordex might signal continuous groups’ attempts to work on Moscow’s behalf in a cyber conflict that started after the invasion of Ukraine.

Experts believe that the flood of ransomware attacks in 2021 could have been an attempt to test western critical infrastructure in preparation for a conflict.

Conti ransomware

Conti started operating in late 2019, and it runs Conti.News data leak site. The group gets initial access through stolen RDP credentials and phishing emails with malicious attachments.

Experts believe that Conti attacks resemble tactics seen in nation-state attacks. The groups also rely on human-operated attacks instead of increasingly popular automated intrusions. Conti attempts to find a buyer for the data before posting it on the site.

Ireland’s HSE, Volkswagen Group, several US cities, counties, and school districts were affected by Conti. Conti has been observed to be in the networks for anywhere between a few days to even weeks before actually launching ransomware.

The group is believed to be based in the second largest Russian city of Saint Petersburg. It’s also speculated that the people behind Conti used to be in charge of another prominent ransomware cartel, Ryuk.

The group has been particularly active recently, with the FBI and CISA issuing a warning over 400 Conti ransomware attacks aimed at stealing sensitive data.

As with many modern extortion gangs, Conti offers a Ransomware-as-a-Service (RaaS) package, selling its malware to affiliates. The core team takes 20-30% of a ransom payment, while the affiliates keep the rest of the loot.


More from Cybernews:

Ransomware attacks on Western infrastructure might have been a wargaming exercise – interview

Why we need to talk about the cybersecurity skills gap

North Korean hackers named behind the $620 million Ronin hack

Elon Musk warns to “reconsider his position” as a Twitter shareholder if his offer to buy the platform gets declined

Phishing scam mimics highest court in US

Subscribe to our newsletter