Cyber Incident Victim: Wiregrass Electric Cooperative
Date:
Jul 2021
Location:
United States of America
Summary
A ransomware attack targeted an Alabama electric cooperative serving approximately 25,000 members, temporarily disrupting customer account access and payment systems while leaving electrical service uninterrupted. The organization did not pay a ransom and confirmed no data compromise, attributing the incident to an isolated server issue unrelated to broader ransomware campaigns. IT personnel conducted extensive system reviews over multiple days, gradually restoring services while advising members of potential intermittent access issues; prepaid accounts were assured no disconnections during the outage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Wiregrass Electric Cooperative, an Alabama utility serving approximately 25,000 customers across five counties, experienced a ransomware attack discovered on the morning of July 3, 2021. The intrusion prompted immediate containment measures, with the cooperative isolating the affected server and initiating system-wide forensic examinations. Chief Operating Officer Brad Kimbro confirmed electrical service delivery remained uninterrupted throughout the incident, though customer-facing systems including account portals and payment processing were deliberately taken offline as a precaution. Information technology personnel conducted comprehensive audits of all infrastructure—servers, laptops, and workstations—throughout the weekend following detection. Initial analysis indicated the attack was confined to a single server, with no evidence of data exfiltration or compromise of sensitive member information. The cooperative publicly stated it did not engage with threat actors or pay any ransom demands.
While restoring systems, the utility encountered residual technical challenges including broken website links that caused intermittent access issues for customers. Wiregrass Electric announced a temporary suspension of service disconnections for prepaid account holders during the recovery period. Kimbro explicitly ruled out connection to the contemporaneous global Kaseya ransomware campaign, noting the cooperative had discontinued use of Kaseya products approximately 18 months prior to the attack. Public notifications referenced pre-planned system upgrades occurring near the incident timeframe, though no causal relationship between these upgrades and the breach was disclosed. Restoration efforts progressed methodically, with IT teams prioritizing system integrity verification before reactivating customer access platforms. The cooperative maintained operational continuity for power distribution throughout the incident while managing customer service limitations through alternative channels.