Exclusive: EirGrid targeted by 'state sponsored' hackers leaving networks exposed to 'devious attack'

Not known if any malicious software was secreted onto EirGrid’s control systems

Cathal McMahon ·

1

Irish electricity transmission system operator EirGrid was targeted by “state sponsored” hackers leaving its network exposed to a “devious attack”.

Independent.ie can reveal that the hackers, using IP addresses sourced in Ghana and Bulgaria, gained access to a Vodafone network used by the Irish operator in the UK in April.

Following the original attack hackers then compromised the routers used by Eirgrid in Wales and Northern Ireland. They did this by installing a virtual wire tap on the system so that they had access to all of unencrypted communications sent to and from the companies.

The breach was discovered last month, more than two months after the original hack, but sources say it is still not known if any malicious software was secreted onto EirGrid’s control systems.

State-owned company EirGrid manages and operates the electricity transmission grid across the island of Ireland.

Eirgrid moves wholesale power around the country. Energy is also brought from generation stations to heavy industry and high-tech users. The company also supplies the distribution network operated by ESB Networks that powers every electricity customer in the country.

A breach of the system could result in power outages across the island.

Malware has previously been used in the Ukraine by suspected Russian hackers to cause major national power outages and concerns have now been raised that this could be repeated here.

Independent.ie has learned that the hack came to light after a tip-off from Vodafone and the National Cyber Security centre in the UK to EirGrid.

Vodafone discovered that there had been a breach on their Direct Internet Access (DIA) service which is internet provider to Eirgrid's interconnector site in Shotton, Wales. The original breach took place on April 20 and lasted just short of seven hours.

A source said that both Vodafone and the National Cyber Security Centre believe it was a “state sponsored attack” and it was subsequently discovered that the attackers were working from IP addresses sourced out of Bulgaria and Ghana. However police services in Ireland and the UK do not believe that the hackers originated in either country.

The breach of the Vodafone network allowed the hackers to create a type of wire tap known as Generic Routing Encapsulation (GRE) tunnel into Eirgrid's Vodafone router located in Shotton.

A source explained that this “man-in-the-middle” meant the hackers had the ability to capture any unencrypted digital traffic originating from or destined for the Shotton site.

Independent.ie has learned that all communications leaving the Eirgrid site and passing through the DIA router were “monitored and maybe interrogated” by a third party with direct access to the device.

Vodafone has told Eirgrid that it has “no idea” at this time how much data was transferred over the GRE tunnel. However it was able to tell the state supplier that all the compromised router devices had their firmware and files copied by the attackers.

A source said this allows the hackers to inspect the network configuration of Vodafone and “possibly launch a further more devious attack through some unknown vulnerabilities”.

Household customer information was not stored on the Eirgrid computers but information pertaining to commercial customers would have been transferred over the compromised network.

A follow-up internal investigation, carried out by the company, revealed that the offices of the System Operator for Northern Ireland (SONI) – which is wholly owned by EirGrid - were also compromised and it's data was being intercepted too.

David Martin spokesperson for EirGrid Group said:

“At EirGrid Group, the security of our computer network and of the electricity control system is an utmost priority.

“We take all necessary steps to ensure that our systems are secure and protected and we remain vigilant to potential cyber threats, by continuously monitoring the external environment and by engaging with the relevant authorities.

“It is EirGrid Group’s policy not to comment publicly on specific operational matters related to cyber security, however, we are aware of the currently reported focus on energy companies and national infrastructure and wish to state that our computer systems have not been breached.”

A spokesman for Vodafone said:

“Vodafone does not comment on specific security incidents. In such cases we always work closely with the relevant authorities to investigate and take immediate actions to contain the issue and protect our customers.”

1 / 1