Cyber Incident Victim: Creos Luxembourg S.A.
Date:
Jul 2022
Location:
Luxembourg
Summary
A ransomware attack by the BlackCat gang targeted a European natural gas pipeline and electricity network operator, causing customer portals to become unavailable but not disrupting energy services. The attackers exfiltrated approximately 180,000 files totaling 150 GB, including sensitive documents such as contracts, passports, and emails, later threatening to publish the stolen data. BlackCat, linked to previous rebrands like DarkSide and BlackMatter, has shifted focus to European entities while continuing to compromise critical infrastructure despite law enforcement scrutiny. The operator's parent company acknowledged data theft but could not immediately determine the full scope of the breach, advising customers to monitor for updates via a dedicated incident webpage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 25, 2022, Encevo S.A., the parent company of Creos Luxembourg S.A., publicly disclosed a cyberattack that occurred between July 22 and July 23, 2022, targeting its subsidiary operating natural gas pipelines and electricity networks across Luxembourg. The attack disrupted customer portals for both Encevo and Creos, rendering them inaccessible, though core energy delivery services remained operational without interruption. Three days later, on July 28, Encevo provided an update confirming that attackers had successfully exfiltrated "a certain amount of data" from compromised systems but could not yet determine the full scope or specific contents of the stolen information. The company established a dedicated webpage for future updates and requested patience from customers while investigations continued, promising personalized notifications once impact assessments were complete.
The ALPHV/BlackCat ransomware group claimed responsibility for the attack on July 30, 2022, listing Creos on its extortion site and threatening to publish 180,000 files totaling 150 GB of stolen data, including contracts, agreements, passports, bills, and email communications. BlackCat announced the data would be released on August 1, 2022, though no precise timing was specified. In response to the breach, Encevo advised all customers to reset credentials used for their online accounts with both Encevo and Creos, extending the recommendation to any external platforms where identical passwords were reused. The incident marked another instance of BlackCat targeting European critical infrastructure, following prior attacks on entities like German fuel distributor Oiltanking in February 2022. BlackCat, identified by cybersecurity analysts as a rebrand of the DarkSide/BlackMatter operations responsible for the Colonial Pipeline attack, shifted focus to European victims after November 2021 but continued attacking high-profile energy sector organizations despite law enforcement scrutiny. Encevo maintained its service infrastructure throughout the incident while working to restore customer portal functionality and assess data exposure.