Electrica Group Lynx ransomware attack
The Lynx ransomware gang breached Electrica Group, one of Romania's largest electricity suppliers serving 3.8 million users, disrupting customer-facing services while SCADA and other critical grid systems were isolated and kept running.
- Victim
- Electrica Group
- users
- 3.8M
On 9 December 2024, Electrica Group β one of Romania's largest electricity distribution and supply companies, serving more than 3.8 million users across Muntenia and Transylvania β disclosed that it was the target of an ongoing ransomware attack. Romania's National Cyber Security Directorate (DNSC) later attributed the intrusion to the Lynx ransomware gang, making it one of the highest-profile attacks on the country's power sector.
What happened
Electrica announced on 9 December 2024 that it was facing a cyberattack and immediately implemented protective measures, deliberately isolating parts of its infrastructure. Those defensive shutdowns caused temporary disruption to customer-facing services β call centres, online portals and customer interactions β rather than damage from the malware itself.
Crucially, Romania's Energy Minister Sebastian Burduja confirmed that the company's SCADA systems and other critical grid-control infrastructure were isolated and unaffected, so electricity supply and distribution continued normally. The DNSC identified the Lynx ransomware operation, a group whose encryptor is believed to be based on the leaked INC Ransom source code and which has claimed victims across the energy, oil and gas sectors.
Impact
- Customer-facing services were temporarily disrupted as systems were isolated for protection.
- Critical operational technology (SCADA) and the electricity grid were not affected; supply and metering continued.
- The company serves 3.8 million users, so the potential blast radius was very large even though grid operations were preserved.
- Electrica, a listed company, publicly reassured customers and investors that no critical service had been compromised.
Response
Electrica worked with the DNSC, national authorities and external specialists to investigate and recover. The company emphasised that the separation between business IT and operational technology prevented the ransomware from reaching grid-control systems β the same OT-segmentation lesson seen in other energy-sector incidents. There was no public confirmation of a ransom demand being paid.
Why it matters
Coming alongside a broader wave of attacks on Romanian institutions in late 2024 (including an annulled presidential election marred by cyber concerns), the Electrica incident underscored that electricity suppliers are prime ransomware targets and that defending critical national infrastructure depends on rigorous IT/OT separation. It reinforced the value of proactive isolation β accepting customer-service downtime to protect grid stability β and added urgency to Romania's implementation of the NIS2 Directive for essential service operators.
Timeline
Electrica Group publicly announces it is the target of an ongoing cyberattack and notifies authorities.
The company implements protective measures, isolating systems and causing temporary disruption to customer-facing services.
Romania's Energy Minister Sebastian Burduja states that Electrica's SCADA and other critical systems were isolated and unaffected.
Romania's National Cyber Security Directorate (DNSC) attributes the attack to the Lynx ransomware gang.
Electrica continues recovery; the company assures the 3.8 million users it serves that electricity supply and metering remain secure.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/lynx-ransomware-behind-electrica-energy-supplier-cyberattack/
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/romanian-energy-supplier-electrica-hit-by-ransomware-attack/
- securityaffairs.comhttps://securityaffairs.com/171832/hacking/electrica-group-ransomware-attack.html
- romania-insider.comhttps://www.romania-insider.com/romanian-electrica-cyberattack-december-2024
- scworld.comhttps://www.scworld.com/brief/electrica-group-impacted-by-ongoing-ransomware-attack