Cyber Incident Victim: Matadero de Gijón
Date:
May 2024
Location:
Spain
Summary
The Matadero de Gijón bioenergy plant suffered a ransomware attack by the Ransomhub group, which compromised its SCADA system using stolen credentials obtained from Russian forums. The intrusion disrupted slaughterhouse operations, halting processing and forcing temporary closure, with manual intervention required to restore functionality. Ransomhub demonstrated control over critical systems like digesters and heating, though the exact data breach scale remained ambiguous. The incident highlights escalating threats to industrial control environments, with ransomware actors increasingly targeting operational technology infrastructure through initial access brokers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 1, 2024, operations at the Matadero de Gijón slaughterhouse were halted following a cybersecurity incident affecting the computer system controlling its wastewater treatment plant. The disruption began when the company responsible for managing the treatment plant’s controls alerted authorities to unauthorized system access, described by some sources as a potential hack, while others initially speculated it might be a routine technical failure. The Gijón Local Police ordered an immediate suspension of all slaughterhouse activities as a precautionary measure, resulting in over 40 cattle remaining unprocessed. Workers reported to their shifts but were subsequently sent home due to the operational standstill, causing significant disruption to production schedules and supply chain operations. The facility remained non-operational for at least one full business day before resuming partial functionality through manual control protocols implemented by onsite technicians.
Further analysis revealed that the ransomware group Ransomhub claimed responsibility for compromising the slaughterhouse’s SCADA (Supervisory Control and Data Acquisition) system, which managed critical industrial processes including digester and heating systems for bioenergy production. The attackers provided screenshots demonstrating their ability to manipulate these environmental controls, though the exact method of initial access was later attributed to credentials purchased from Russian cybercrime forums. Ransomhub, a Ransomware-as-a-Service operation active since February 2024, employed Golang and C++ code with hybrid encryption (x25519 asymmetric cryptography combined with AES256, ChaCha20, and XChaCha20 symmetric algorithms) to compromise systems. While the precise scale of data exfiltration remained unclear—with estimates ranging from 15GB to 400GB—the breach directly impacted physical operations by disabling automated processes. The incident marked one of 68 attacks attributed to Ransomhub, which primarily targets IT sectors in the United States but has recently expanded to industrial control systems. Security researchers noted this attack exemplified growing ransomware interest in operational technology, particularly systems with exposed Virtual Network Computing interfaces. No ransomware payment demands or data restoration timelines were disclosed in available reports, though manual control procedures allowed limited operational resumption within 24 hours of detection.