Hackers had access to European electricity organization’s email server for weeks: report

Unidentified hackers reportedly used an open-source tool to communicate with the server for over a month.

When the organization that oversees Europe’s electricity market announced on Monday that hackers had infiltrated its IT network, it didn’t provide many details.

The European Network of Transmission System Operators for Electricity (ENTSO-E) said a data breach had been confined to its office network, and that no critical power systems were affected. It didn’t mention how or why the intrusion began.

But a public analysis of a cybersecurity incident, which multiple people familiar with the matter said matches the details of the ENTSO-E breach, indicates that the attackers were communicating with the victim organization’s email server for more than a month.

There was repeated, high-volume communication between the server and the hackers’ malware, according to the analysis, which was published in January by threat intelligence firm Recorded Future. The report did not name ENTSO-E as the victim, but a source close to senior cybersecurity officials at multiple European electric utilities said the two incidents were the same.


ENTSO-E’s 42 members represent some of the largest utilities in Europe, coordinating to deliver a steady supply of electricity for European Union citizens. Data housed on ENTSO-E’s office network could be valuable to hackers looking to target individual utilities, although so far, there isn’t evidence of that happening.

“[T]he targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe,” the Recorded Future blog post says.

That report concludes that the unidentified hackers used an open-source remote access trojan known as Pupy RAT to communicate with the server from late November to at least Jan. 5.

It is unclear who is responsible for the breach. Pupy RAT has been used by multiple state-sponsored hacking groups. It is publicly available, meaning the malware alone isn’t enough to conclude who was responsible.

An ENTSO-E spokesperson did not respond to multiple requests for comment on the Recorded Future analysis. On Monday, the spokesperson said the organization would not be commenting beyond its four-sentence statement.


Recorded Future declined to comment beyond the blog post.

“Recorded Future does not disclose victims without coordination and will not share additional details regarding this incident at this time,” company spokeswoman Rachel Adam said.

Many of the European utilities have issued statements emphasizing that the breach did not affect their operations, adding that they are continuing to investigate.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts