Cyber Incident Victim: Encevo Group
Date:
Jul 2022
Location:
Luxembourg
Summary
A Luxembourg-based energy company and its subsidiaries suffered a ransomware attack attributed to the Alphv (BlackCat) group, disrupting customer portals and phone services while leaving electricity and gas supplies unaffected. Hackers exfiltrated data including contracts, passports, and emails, threatening to leak the stolen information. The parent company established a dedicated website for updates, filed a police report, and notified regulatory bodies while analyzing compromised systems. This incident aligns with broader targeting of European energy infrastructure, though operational continuity was maintained—unlike previous ransomware cases where billing system disruptions forced service halts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The cyberattack targeting Luxembourg-based energy companies Enovos and Creos—subsidiaries of the Encevo Group—began on the night of July 22, 2022. The incident disrupted customer portals for both entities but did not interrupt electricity or gas supply services. Creos confirmed its phone systems were inoperable following the attack, though the company provided no additional operational details when pressed days later. Encevo Group publicly acknowledged the breach in a July 28 press release, revealing that attackers had exfiltrated or rendered inaccessible a "certain amount of data" from corporate systems. The group initiated forensic analysis to determine the scope of compromised data but advised customers against contacting support teams directly, instead directing them to a dedicated informational website. Formal notifications were made to Luxembourg’s Grand Ducal Police, National Commission for Data Protection, Institute of Regulation, and relevant government ministries.
The Alphv/BlackCat ransomware group claimed responsibility for the attack on its leak site, alleging theft of 150 GB of sensitive data including contracts, passports, bills, and email communications. While the group threatened to publish the data on July 25, no leaks had materialized by the article’s publication. Security analysts linked Alphv to prior ransomware operations BlackMatter and DarkSide, noting parallels with the Colonial Pipeline attack where billing system disruption—not operational infrastructure compromise—caused critical service interruptions. This incident occurred amid escalating attacks against European energy infrastructure, including April 2022 disruptions at Deutsche Windtechnik, a March cyberattack forcing Nordex to shut down IT systems, and February incidents impacting Oiltanking and Mabanaft that disrupted oil terminal operations across Germany, Belgium, and the Netherlands. Though Enovos and Creos maintained energy delivery throughout the incident, the breach highlighted systemic vulnerabilities in critical infrastructure billing and customer management systems.