Renowned ransomware group Conti recently claimed responsibility for a dedicated cyberattack on a leading wind turbine manufacturer – Nordex. As a result, the company was driven to shut down its remote access and IT systems.

Headquartered in Rostock, Germany and managed in Hamburg, Nordex is now counted among the largest manufacturers and developers of wind turbines in the world, with over 8,500 employees on its payroll worldwide.

Disruptive impacts of a cyberattack

On April 2, the wind turbine manufacturing giant disclosed that it had experienced a cyberattack. According to the company, the attack was detected early, enabling the company to shut down its IT systems quickly and prevent the infection spreading.

In its original statement to the press, Nordex explained:

“The intrusion was noted in an early stage and response measures initiated immediately in line with crisis management protocols. As a precautionary measure, the company decided to shut down IT systems across multiple locations and business units.”

The company later updated this statement and explained that in order to protect its customers’ assets, Nordex had additionally disabled all remote access available for managed turbines. However, after investigating the incident, the manufacturer discovered that the attack had not managed to spread that far and was effectively restricted to Nordex’s internal systems.

A statement from Nordex commented:

“In close cooperation with relevant authorities, the emergency response team of internal and external IT experts has been performing extensive investigations and forensic analysis. Preliminary results of the analysis suggest that the impact of the incident has been limited to internal IT infrastructure. There is no indication that the incident spread to any third-party assets or otherwise beyond Nordex’ internal IT infrastructure.”

Ransomware at the root

While Nordex has not validated its statement, the Conti ransomware gang has claimed ownership over the attack. If Conti’s boast proves to be true, it will not be the first ransomware attack levelled at the wind turbine industry in Europe recently. Last year, in November, the LockBit ransomware gang levelled an attack at Vestas, the Danish wind turbine manufacturer.

Despite its claims, the Conti ransomware organisation has not yet started to leak any confidential data to confirm its attack. This could potentially be an indication that either no data was successfully stolen when the gang exfiltrated Nordex’s systems or that the manufacturer is currently engaged in negotiations with the organisation.

Operated by a Russia-based hacking outfit, Conti is a ransomware gang well-known for using other insidious malware infections like BazarLoader, Ryuk and TrickBot, often in combination to achieve its objectives.

As threat operators spread laterally through an infected network, they look for sensitive data worth collecting. As part of a double extortion tactic, it is common practice for ransomware gangs to steal data while encrypting their victim’s systems. If a target restores their operating system and data from backups and refuses to pay the ransom requested, threat operators will threaten to publish stolen files on their leak sites or on hacker forums on the dark web as leverage.