Cyber Incident Victim: Companhia Paranaense de Energia
Date:
Feb 2021
Location:
Brazil
Summary
A ransomware attack targeted Companhia Paranaense de Energia (Copel), a major Brazilian utility, attributed to the Darkside group. Attackers exfiltrated over 1,000 gigabytes of sensitive data, including plaintext passwords from CyberArk privileged access management systems, network infrastructure details, engineering plans, employee and customer personally identifiable information, and financial documents. The stolen data was subsequently leaked online, exposing critical operational credentials and internal schematics. While the attack caused temporary operational disruptions due to system suspensions, the utility maintained essential service delivery. Darkside publicly claimed responsibility, advertising the stolen data on hacker forums as part of their extortion tactics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early February 2021, Companhia Paranaense de Energia (Copel), a major Brazilian state-owned utility serving Paraná, suffered a ransomware attack attributed to the Darkside group. The attackers infiltrated Copel’s systems and exfiltrated over 1,000 gigabytes of sensitive data, which they subsequently advertised for sale on hacker forums. According to Darkside’s claims, the compromised data included plaintext passwords extracted from Copel’s CyberArk privileged access management solution, granting access to local and internet-facing infrastructure. Additional stolen information encompassed network maps, backup schedules, domain zone configurations for cope.com and copel.nt domains, ActiveDirectory databases, and detailed engineering schematics of the company’s network switches. Personal data of employees and customers—including phone numbers, emails, identification documents, and information pertaining to top management—was also taken, alongside non-disclosure agreements, financial records, and contract details. Copel did not publicly announce the breach but disclosed it in an SEC filing dated February 1, 2021.
The attack exposed critical operational and security vulnerabilities, particularly the compromise of CyberArk credentials, which could facilitate further unauthorized access to Copel’s infrastructure. While the utility did not report operational disruptions or service outages, the theft of engineering plans, network diagrams, and authentication data posed significant risks to infrastructure integrity and customer privacy. Darkside’s public dumping of stolen data amplified these threats, potentially enabling follow-on attacks by other malicious actors. Copel’s response was limited to regulatory disclosure, with no public statements detailing containment measures, forensic investigations, or coordination with law enforcement. In contrast, the separately attacked Eletrobras utility confirmed isolating affected administrative systems to protect operational technology, though no such actions were documented for Copel. The incident underscored ransomware’s persistent threat to critical infrastructure, with attackers leveraging stolen data for extortion even without immediate service disruption.