Cyber Incident Victim: Elexon
Date:
May 2020
Location:
United Kingdom
Summary
A UK electricity market operator experienced a cyberattack compromising its internal IT infrastructure, including employee laptops and email systems, though critical electricity transmission systems remained unaffected. The incident, suspected to be ransomware due to its disruptive impact on internal operations, was linked to an unpatched vulnerability (CVE-2019-11510) in an outdated Pulse Secure VPN server that had been flagged by security researchers months prior. National Grid confirmed the attack did not disrupt national power supplies, while the company worked to restore affected systems after identifying the root cause.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 14, 2020, Elexon, a critical UK electricity market operator responsible for managing supply, demand, and power distribution across the national grid, disclosed a cyber-attack impacting its internal corporate infrastructure. The incident affected the company’s internal IT network, employee laptops, and email server, which was taken offline to contain the breach. This disruption severed employee access to email communications, hindering internal operations. Elexon confirmed its operational technology systems—specifically those managing the physical transit of electricity across the UK network—remained unaffected throughout the incident. The company issued initial public notifications via its website, emphasizing the isolation of the attack to non-operational systems. By the end of the same day, Elexon reported identifying the root cause and initiated efforts to restore its internal network and laptops. While the organization did not explicitly characterize the attack type, cybersecurity experts cited the disruption’s pattern—particularly the forced unavailability of laptops and email services—as indicative of a ransomware incident.
Technical analysis by threat intelligence firm Bad Packets revealed Elexon had operated an outdated version of Pulse Secure VPN, a remote-access solution, since at least summer 2019. This version contained a critical vulnerability (CVE-2019-11510), publicly disclosed in April 2019, which allowed unauthenticated attackers to execute arbitrary code and access corporate networks. Bad Packets’ internet-wide scans detected Elexon’s unpatched VPN instance during multiple assessments, with the most recent confirmation occurring in March 2020—just two months prior to the incident. US and UK cybersecurity agencies had repeatedly warned organizations about active exploitation of this vulnerability, noting its frequent use in ransomware campaigns targeting unpatched systems. The UK National Grid separately verified that electricity delivery to consumers remained uninterrupted despite Elexon’s breach, underscoring the segregation between compromised IT systems and operational grid infrastructure. Elexon’s restoration efforts focused on rebuilding internal corporate assets without disclosing additional specifics regarding remediation timelines or forensic findings.