Cyber Incident Victim: DESFA
Date:
Aug 2022
Location:
Greece
Summary
A Greek national gas operator was targeted in a ransomware attack by the Ragnar Locker group, leading to confirmed impacts on system availability and potential data leaks. The organization refused to negotiate with attackers, maintaining safe operations of critical natural gas infrastructure while deactivating most IT services for containment. Technical experts were engaged to investigate the root cause and support recovery efforts, with gradual restoration of affected systems underway. Authorities including law enforcement and data protection agencies were notified of the incident. This occurred amid broader concerns about ransomware targeting critical infrastructure globally, particularly industrial sectors in Europe.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 19, 2022, the Ragnar Locker ransomware group listed Greece’s national natural gas operator DESFA on its leak site, claiming the organization had not responded to its extortion demands. DESFA confirmed the cyberattack in a public statement on August 20, acknowledging unauthorized access to its IT infrastructure that caused confirmed disruptions to system availability and potential leakage of files and directories. The attack did not compromise the operational integrity of Greece’s National Natural Gas System (NNGS), which remained fully functional throughout the incident, ensuring uninterrupted gas supply across all national entry and exit points. DESFA immediately deactivated the majority of its IT services as a containment measure upon detecting the breach, initiating a phased restoration process while prioritizing the security of operational technology (OT) environments. The company explicitly refused to engage in negotiations with the attackers, emphasizing a policy of non-compliance with cybercriminal demands.
DESFA engaged external technical experts to investigate the root cause of the intrusion and support recovery efforts, collaborating with Greek law enforcement agencies, the Ministry of Digital Governance, and the Hellenic Data Protection Authority. The incident mirrored broader regional trends, as approximately 40% of ransomware attacks against industrial organizations in Q2 2022 targeted European entities according to industry reports. While DESFA’s operational resilience prevented physical disruptions, the compromise of IT systems necessitated deliberate reactivation procedures to avoid reintroducing vulnerabilities. The company did not disclose specifics regarding the volume or sensitivity of potentially exfiltrated data, nor did it provide additional public commentary beyond its initial statement. Recovery and forensic activities continued as DESFA maintained its focus on restoring IT functionality without jeopardizing the safety-critical NNGS infrastructure.