On November 10-11, Kisters AG in Germany was hit by a ransomware attack. Because the firm is a critical infrastructure supplier for energy systems and with the potential for downstream compromise, this one has raised significant concerns. The following are some translated snippets from energie.blog, which has been providing updates on the attack:
Update: 11/21/2021:
“According to the previous forensic analyzes, there are currently no indications that the software products we have delivered have been compromised.”
Update: 11/23/2021:
“To ensure the security of our customers, we are completely redesigning our systems. Work on this is currently in full swing. Data that we can use from the backup is carefully checked in advance to ensure its integrity and consistency as far as possible. For our cloud customers, we will start restoring the systems tomorrow (Wednesday), from Thursday these systems will be checked immediately and monitored for abnormalities. After that, the approval will take place step by step in the following days and weeks. Your KISTERS contact person: in will then get in touch with you. In parallel, the forensic analyzes will continue. ”
Update: 11/30/2021 (from press release):
The responsible data protection authorities have already been informed. Since KISTERS will not engage in such attempts at extortion, the publication of the captured data is to be expected. As soon as information is available as to whether customer data is affected, KISTERS will seek immediate direct contact with those affected. At the same time, the IT company continues to work closely with the security authorities, who will systematically prosecute any publication of data by the hackers as a criminal offense.
Update: 12/02/2021
According to a report by DarkFeed.io, Conti threat actors add Kisters.de to their leak site, and publish what they claim is 5% of exfiltrated data.
When checked this morning, prior to publication, the listing could not be found. Because Kisters had indicated that they had no intention of paying, the removal of the listing could mean of one several things, but rather than speculating, DataBreaches.net will just continue to monitor the leak site to see if it reappears.