Cyber Incident Victim: Sargent & Lundy
Date:
Oct 2022
Location:
United States of America
Summary
A ransomware attack compromised a US engineering firm specializing in critical infrastructure projects, resulting in the theft of sensitive data including model files and transmission data used for utility designs. The incident, involving Black Basta ransomware, was contained with minimal operational disruption, and no evidence indicated the stolen information was published on dark web platforms. Law enforcement was notified, though the firm declined to disclose details on potential extortion attempts. Security experts expressed concerns that such stolen schematics could facilitate physical or cyberattacks on power facilities, particularly amid recent physical vandalism targeting electrical infrastructure. The firm's role in nuclear security projects for government agencies heightened sensitivity around the breach, highlighting broader supply chain risks as contractors face differing cybersecurity standards compared to regulated utilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2022, Chicago-based engineering firm Sargent & Lundy suffered a ransomware attack compromising data from multiple electric utility clients. The attackers deployed Black Basta ransomware, a strain first observed in early 2022 that typically exfiltrates victim data to pressure ransom payments. The breach exposed sensitive project files including transmission data and model files used in designing power infrastructure. Sargent & Lundy, which had designed over 900 power stations and thousands of miles of power systems, also handled nuclear security contracts for the Departments of Defense and Energy. Federal investigators and the Electricity Information Sharing and Analysis Center (E-ISAC) monitored the incident for potential cascading effects on the power sector, while private security teams scanned dark web channels for signs of the stolen data. The company contained and remediated the attack with no significant disruption to business operations, according to internal assessments.
Sargent & Lundy notified law enforcement but declined to disclose whether hackers issued ransom demands, citing an active investigation. No stolen data appeared on dark web forums as of December 2022, per E-ISAC’s memo to utility executives. Security experts expressed concern that leaked schematics of grid equipment like programmable logic controllers could enable physical or cyberattacks against power facilities, particularly following unrelated substation vandalism incidents in North Carolina and Washington that caused widespread outages. The incident highlighted regulatory gaps, as utility contractors like Sargent & Lundy aren’t held to mandatory federal cybersecurity standards required of electric utilities themselves, instead relying on contractual security terms. Federal officials treated the breach as part of a broader ransomware epidemic affecting critical infrastructure, urging increased information sharing between private firms and government agencies during such incidents.