Cyber Incident Victim: TenneT Holding B.V.

On or around May 31, 2023, the Dutch-German electricity transmission system operator TenneT discovered it had fallen victim to a significant data leak. The incident was not a direct attack on TenneT's infrastructure but was instead the result of a compromise in third-party software utilized by the company. The software in question was MOVEit Transfer, a secure file transfer application developed by the supplier Progress Software Corporation, which TenneT employed for the encrypted sending and receiving of large files. The attackers exploited a zero-day vulnerability within the MOVEit Transfer application to gain unauthorized access to files residing on TenneT's server.

The discovery of the breach occurred on Wednesday, May 31. TenneT's own analysis indicated that the attackers were actively engaged in copying data from its MOVEit Transfer server at the time of detection. The immediate response from TenneT was to shut down the MOVEit system entirely to prevent any further unauthorized access or data exfiltration. Concurrently, TenneT notified the software supplier, Progress, of the security incident. The company moved swiftly to report the breach to the relevant authorities in both of the countries it operates within. In the Netherlands, notifications were made to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and the National Cyber Security Centre (NCSC). In Germany, the report was filed with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI). Furthermore, formal reports were also filed with the Dutch and German police forces.

The core of the attack involved the copying of data that had been sent or received using the MOVEit software. TenneT initiated a thorough analysis of all the data that was confirmed to have been exfiltrated to determine the sensitivity of the compromised information. This process was crucial for assessing the potential impact on individuals and other entities. The company stated that it would directly contact companies and individuals whose sensitive, particularly privacy-sensitive, information may have been copied as a result of the breach. Where deemed necessary, TenneT also committed to taking appropriate measures in response to the nature of the data exposed. As part of its communication regarding the incident, TenneT advised potentially affected parties to be cautious and vigilant, directing them to general cybersecurity guidance published by the Dutch NCSC and information on data breaches from the Dutch Data Protection Authority.

The threat actors behind this attack were identified as the cybercriminal group associated with the Clop ransomware. Their modus operandi did not involve encrypting TenneT's systems for ransom in this instance but instead focused solely on data theft. The group exploited a zero-day vulnerability in the MOVEit Transfer application as part of a widespread campaign targeting numerous organizations globally that used the software. Their tactic was to exfiltrate databases containing personal information and then issue extortion demands, threatening to publish the stolen data on their own website if victims refused to pay. TenneT's incident was part of this larger wave of attacks that affected many large companies and organizations worldwide, including other major Dutch firms like TomTom, which confirmed its own victimization a day after TenneT's disclosure.

In the aftermath of the initial containment, TenneT continued its investigation into the broader circumstances of the breach. This included an internal review to understand why certain data had been stored on the MOVEit server for an extended period, potentially increasing the scope of the information accessible to the attackers. The company also proceeded with its duty to inform those impacted by the data leak, issuing formal notification letters to individuals whose personal data was determined to have been compromised. The incident highlighted the significant supply chain risks posed by vulnerabilities in third-party software solutions upon which critical infrastructure operators rely for essential business functions. The response encompassed immediate technical containment, comprehensive forensic analysis, full regulatory compliance, and law enforcement engagement, all conducted in coordination with authorities across two national jurisdictions.