Cyberattacks on three European wind-energy companies since the start of the war in Ukraine have raised alarm that hackers sympathetic to Russia are trying to cause mayhem in a sector set to benefit from efforts to lessen reliance on Russian oil and gas.
The companies attacked haven’t publicly attributed the hacks to a particular criminal group or country and Russia has consistently denied that it launches cyberattacks.
But the timing of the attacks suggests potential links to supporters of Russia’s invasion of Ukraine, said Christoph Zipf, a spokesman for WindEurope, a Brussels-based industry group.
Serious cyberattacks on industrial equipment aren’t common and take significant knowledge to prepare, according to security experts.
The three companies targeted in the attacks are all based in Germany. Deutsche Windtechnik AG, which specializes in the maintenance of wind turbines, was hacked in April. Remote-control systems for about 2,000 wind turbines in Germany were down for about a day after the attack, the company said.
Turbine maker Nordex SE said it discovered a security incident March 31 that forced it to shut its information-technology systems. Conti, a ransomware group that has declared support for the Russian government, said this month that it was responsible for the attack.
Enercon GmbH, also a turbine maker, said it was “collateral damage” in an attack on a satellite company in February that happened “at almost exactly the same time that Russian troops invaded Ukraine.” The attack knocked out remote control of 5,800 of Enercon’s wind turbines, though they continued to operate on auto mode.
“We need high IT security standards” because the growing renewable-energy sector will become a bigger target for hackers, said Matthias Brandt, director of Deutsche Windtechnik, which has around 2,000 employees. “The crisis in Russia and Ukraine shows us that renewables are replacing oil and gas in the future,” he said.
The European Union started reducing Russian energy imports this month as member countries considered alternatives such as nuclear power, or speeded up plans to move to renewable energy after years of relying on Russian oil and gas.
Germany, Europe’s biggest economy, has rejected EU-wide sanctions on Russian fuel, arguing such a move would damage the German economy. The country moved up its plan to reach nearly 100% renewable energy electricity by 2035 and wean itself off Russian oil and coal imports this year. Still, a German official said in late March that Russia accounted for 40% of the country’s natural-gas imports, down from 55% four weeks earlier but still substantially above the EU average.
Cybersecurity experts working with Deutsche Windtechnik are investigating whether the ransomware attack used Conti malware, Mr. Brandt said. Chats from Conti ransomware users leaked online last month revealed connections to Russian security services. These hackers also discussed targeting organizations they consider to be working against Russia.
U.S. utilities aiming to provide alternative energy to Europe have also been targets, said Jim Guinn, who leads consulting firm Accenture PLC’s global cybersecurity business for energy, utilities, chemicals and mining.
Mr. Guinn said that at one U.S.-based liquefied-natural-gas company he has worked with, scanning by outside groups for cybersecurity flaws has tripled over the past month,
A hacker who manages to infect the industrial equipment that controls wind turbines could manipulate the machines’ brakes to stop power production, said Trond Solbert, managing director for cybersecurity at Norwegian risk-management company DNV GL. That could disrupt services to customers and revenue for producers, Mr. Solbert said. A simpler strike on local internet-connected services could interfere with the remote monitoring systems of wind farms, he added.
The attack on Deutsche Windtechnik hit internal IT systems, not the industrial systems that control its turbines, Mr. Brandt said. He found out the company’s systems weren’t working properly when the technology department called him around 6 a.m. on April 12. An hour or two later, IT staff drove to a data center in northern Germany to find Deutsche Windtechnik had been hit with ransomware the previous night.
Machines displayed codes that looked like hieroglyphs, Mr. Brandt said, indicating servers had been encrypted with malware. Later that day, employees found an electronic note from hackers instructing the company to contact them to restore their data. By the next day, Deutsche Windtechnik had resolved most of the issues and didn’t reach out to the hackers, he said.
As European countries transition away from Russian energy, key alternative sources will be wind farms in Germany and the North Sea, said Mr. Guinn of Accenture. Hackers that have pledged to attack opponents of Russian interests are taking aim at companies working with those alternatives, he said. “This is a bit of a long game. This is a chess match—this isn’t smash and grab,” he added.
Around 90% of Deutsche Windtechnik’s staff email accounts have been restored, Mr. Brandt said. The company will need a few weeks to bring back parts of its enterprise software that IT staff shut down out of caution. “Customers and clients may not see it, but internally it is a lot of work,” he said. He doesn’t yet know how much the incident will cost the company.
Write to Catherine Stupp at Catherine.Stupp@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8