Cyber Incident Victim: Nordex SE

On March 31, 2022, wind turbine manufacturer Nordex experienced a cyberattack later claimed by the Conti ransomware operation. Early detection prompted immediate activation of crisis management protocols, leading Nordex to proactively shut down IT systems across multiple locations and business units by April 2 to contain the incident. The company initially disclosed the attack without confirming ransomware involvement, though internal sources indicated widespread platform outages. As a precautionary measure to protect customer infrastructure, Nordex subsequently disabled remote access to its managed wind turbines. Preliminary forensic investigations conducted by internal and external cybersecurity experts, in coordination with authorities, determined the attack was confined to Nordex's internal IT infrastructure with no evidence of lateral movement to third-party assets or customer systems.

The Conti ransomware group publicly claimed responsibility for the attack but did not initiate data leaks, leaving open the possibility of ongoing negotiations or an absence of data exfiltration. Conti's operational pattern typically involves initial network access through BazarLoader or TrickBot malware infections via phishing campaigns, followed by data theft for double-extortion tactics. Nordex maintained communication blackout regarding ransomware specifics despite direct media inquiries, focusing instead on containment and restoration efforts. The incident mirrored a November 2021 attack against competitor Vestas by the LockBit ransomware group, highlighting sector-specific targeting. Conti's infrastructure and internal communications had been partially compromised weeks prior by a Ukrainian researcher, though this did not impede their operational capacity against Nordex. US authorities had previously issued advisories about Conti's threat profile due to their association with Russian cybercrime networks and historical deployment of Ryuk ransomware.