Cyber Incident Victim: LTI Power Systems
Date:
Feb 2020
Location:
United States of America
Summary
A ransomware attack compromised a utility equipment supplier, resulting in the theft of sensitive operational documents including diagrams and schematics from two power plant facilities linked to a Missouri-based energy provider. The stolen data appeared on a ransomware server, but no customer information was exposed in the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late February 2020, ransomware attackers compromised LTI Power Systems, an Ohio-based equipment supplier for Ameren Missouri power plants. The attackers exfiltrated dozens of data files from the vendor's systems and subsequently published them on a dedicated ransomware server. The stolen data included technical documents such as equipment diagrams and schematics related to two specific Ameren Missouri facilities. This breach represented a supply chain attack targeting critical infrastructure support systems rather than directly penetrating utility networks. The incident timeline indicates initial system compromise occurred on or around February 1, 2020, with data appearing on the ransomware server approximately three weeks later. No evidence suggested the attackers accessed operational technology or control systems within Ameren's facilities themselves. The publication of stolen documents on the ransomware server confirmed the attackers' possession of sensitive technical specifications.
The compromised schematics and diagrams posed potential risks to physical security at Ameren Missouri's affected power generation facilities by exposing equipment layouts and technical specifications. As a third-party vendor breach, the incident demonstrated vulnerabilities in the utility sector's supply chain security practices. Ameren Missouri confirmed no customer information or personally identifiable data was involved in the compromise, limiting the primary impact to operational security concerns rather than privacy violations. Public disclosure occurred through specialized cybersecurity reporting outlets in March 2020, approximately one month after the data appeared on the ransomware server. The delayed public reporting suggests initial containment and assessment activities occurred during the intervening period between data publication and media coverage. Technical details regarding ransom demands, payment status, or specific malware variants used in the attack were not disclosed in available public reporting.