Cyber Incident Victim: Holding Slovenske elektrarne
Date:
Nov 2023
Location:
Slovenia
Summary
A Slovenian power utility, the country's largest electricity producer, experienced a significant cyberattack involving a crypto ransomware virus that compromised its security and control systems, including fire alarms. The intrusion was initially detected mid-week, temporarily contained, then intensified days later, spreading across networks; however, no ransom demand occurred and critical electricity production remained unaffected. Internal teams, external experts, and government cybersecurity authorities responded to mitigate the incident, with law enforcement and national security agencies notified due to the utility's role in critical infrastructure responsible for approximately 60% of domestic power generation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The cyberattack on Holding Slovenske elektrarne (HSE), Slovenia's largest power utility, commenced on the night of Wednesday, 22 November 2023. Initial detection occurred during this period, with indications that the attack involved a crypto virus, a form of ransomware. Uroš Svete, director of the Government Information Security Office, confirmed the malware's presence but noted no ransom demand had been received by authorities as of the latest reports. Early assessments suggested the intrusion had been contained following its initial detection. However, the situation escalated significantly on the night of Friday, 24 November, when the infection began spreading beyond initial containment zones. According to unnamed sources cited by the news portal 24ur, attackers successfully penetrated HSE's security and control systems, as well as fire alarm infrastructure. The operational integrity of these systems was compromised, though Svete did not disclose whether specific files had been encrypted or the extent of data impact.
HSE activated its incident response protocol immediately upon detecting the attack, mobilizing both in-house technical teams and external cybersecurity experts. The Slovenian police and National Security Council were formally notified due to HSE's classification as critical national infrastructure, given its responsibility for approximately 60% of domestic electricity production through facilities like the Šoštanj thermal plant and hydro plants on the Drava, Sava, and Soča rivers. Throughout the response, authorities maintained that electricity generation and distribution remained unaffected, with no risk to supply. Svete emphasized that HSE followed established security protocols during containment efforts. The Government Information Security Office continuously monitored the situation but did not disclose technical specifics regarding attack vectors or remediation steps. No attribution to specific threat actors was provided in available reports, and the investigation into the attack's origins remained ongoing at the time of reporting.