Hacktivism, Solar Monitoring, Cyberattack

Executive Summary

In September 2024, the pro-Russian hacktivist group Just Evil and possibly the state-backed Beregini group led a coordinated cyberattack on Lithuanian energy infrastructure. The attackers claimed to target the PV monitoring solution used by the state-owned Energy holding company Ignitis Group.  

Just Evil is a faction that emerged from the split of the Killnet group, while Beregini exemplifies the complex interplay of hacktivism and state-sponsored cyber operations within the context of the Russia-Ukraine conflict. It operates under the guise of a Ukrainian group while aligning closely with pro-Russian interests.

Just Evil allegedly accessed the power monitoring dashboard of 22 Ignitis’ clients, including hospitals and military academies, via a compromised PV Monitoring Platform in the city of Kaunas. This is the latest in a series of cyberattacks on Ignitis, following earlier DDoS incidents in 2022 and more in 2024, impacting the company’s energy distribution services.

Figure 1 – Just Evil’s Alleged Attack on Lithuanian PV Monitoring Solution

Previous Attacks on Lithuanian Energy Infrastructure

The first significant attack against Ignitis was orchestrated by Killnet in 2022 in retaliation to Lithuania’s ban on the transit of goods to Russia’s Kaliningrad region. The severity of the attack can be adjudged from the fact that the Lithuanian National Cyber Security Centre had to intervene to contain it, and this was widely reported in the media.

Figure 2 – Article in the local media about the DDoS attacks on Lithuania in 2022

In early February 2024, the Russian cybercriminal group Just Evil allegedly gained unauthorized access to the Ignitis ON app control panel, a service that helps electric vehicle owners charge their cars.

The hacktivist group provided video evidence of shutting down user access to charging stations and deleting the users from the control panel. They also demanded a ransom to cease the attacks and for not leaking the user data. As per local media, Ignitis accepted the breach and did not pay the ransom. As a result, Just Evil leaked user data containing details of over 20,000 EV car owners, employee data, access keys, and firmware for car charging stations.

Just Evil later on also advertised selling admin access to Igntis ON platform for Euros 50,000. 

Figure 3 –  Just Evil’s claims of obtaining access to Ignitis ON app

A few days later, the group claimed that they were able to gain access to the Ignitis On app via a vulnerability called ‘Human Factor’, possibly indicating social engineering and the use of valid credentials to gain access. The group also mentioned defacing the panel after gaining illicit access.

Figure 4 – Just Evil’s claims after targeting Ignitis on the App

Analysis of the Incident Targeting PV Solar Monitoring Solution

Upon closer investigation of the screenshots shared by Just Evil on their telegram channel, Cyble Research & Intelligence Labs (CRIL) investigated the plausibly impacted PV monitoring solutions of Ignitis and ascertained them to be Sungrow’s iSolarCloud. Our open-source search also cemented the fact that Ignitis does use iSolarCloud for managing solar-generated electricity. Hence, considering the compromised panel screenshots, Just Evil’s claims seem credible.  

iSolarCloud by Sungrow offers several features for centralized management, monitoring, and optimization of solar energy systems. The platform offers real-time monitoring of solar systems, tracking energy production, consumption, and inverter performance. It provides data analytics for performance trends, efficiency tracking, and fault alerts, allowing remote diagnostics and predictive maintenance.  

Figure 5 – Screenshots of allegedly targeted PV Monitoring platform posted by Just Evil on Telegram                                                                     

Figure 6 – An excerpt from Ignitis’ Sungrow User Maintenance Manual (Source: Ignitis)

 While the TA claimed to target multiple Lithuanian entities such as hospitals, gymnasiums, and educational facilities, CRIL assessed that the TA was able to access the solar power plants of the institutions mentioned above via the iSolarCloud Platform that provides a centralized PV management solution for managing them, rather than individually compromising them. Considering the names of Lithuanian entities as indicated in the screenshot below, we assess that this iSolarCloud Platform may be in use by Ignitis.  

Figure 7 – Screenshot of allegedly targeted centralized PV monitoring platform managing Lithuanian entities

Looking at the group’s history of attacks, CRIL appraises that the ‘Use of Valid Credentials’ could be the likely initial attack vector in this incident. Conjugate to this hypothesis, Cyble Vision, too, identified recently compromised credentials pertaining to ISolarCloud instances in Europe.

Figure 8 – Compromised Credentials observed for iSolarCloud via Cyble Vision

Using Cyble’s ODIN scanner, CRIL investigated other PV monitoring solutions from Lithuania and found that they were exposed on the Internet and could be targeted in the near future.

Conclusion

Solar energy generation and distribution are critical to a nation’s essential services. The recent attack on a centralized PV monitoring platform, which targeted multiple locations simultaneously, represents a significant threat to Lithuania’s energy sector. As observed by Cyble Vision, numerous compromised credentials exist for iSolarCloud platform users from various regions, including Europe and China. CRIL suggests that such compromised credentials could pose a serious risk, potentially being used to target critical infrastructure systems.

Globally, the solar energy sector has increasingly become a target for cybercriminals, with incidents such as ransomware attacks, data breaches, and remote access exploitation growing in frequency.

The impact of such attacks extends beyond immediate operational disruptions, potentially undermining national energy security, causing financial damage, and affecting public trust in renewable energy technologies.

Recommendations

Enhance Network Segmentation: Use firewalls and virtual LANs (VLANs) to separate critical control systems from non-essential networks. Isolate monitoring platforms from other network segments to limit the lateral movement of threats.

Implement Strong Authentication Measures: A key method of preventing unauthenticated access due to compromised credentials is implementing mandatory multi-factor authentication (MFA) for accessing solar monitoring and control systems. Employ strong, unique passwords and regularly update them.

Regular Security Audits and Penetration Testing: Foster a cyber-aware culture with routine security assessments and penetration tests on solar energy systems, including inverters, monitoring platforms, and network devices, to help detect and address vulnerabilities before they can be exploited.

Patch Management and Firmware Updates: Establish a robust patch management policy to ensure all systems, including inverters and monitoring platforms, are up-to-date with the latest security patches and firmware updates. Regularly check for updates from equipment manufacturers.

Implement Advanced Threat Detection and Response: Remember to utilize intrusion detection systems (IDS) alongside intrusion prevention systems (IPS) and Security Information and Event Management (SIEM) tools to oversee, identify, and address potentially malicious activities throughout the network.

Secure Remote Access: Restrict remote access to critical systems through VPNs, limit access to authorized personnel only, and monitor remote sessions for any unusual activity. Disable unused ports and services to reduce attack surfaces.

Employee Training and Awareness Programs: Train employees and operators on cybersecurity best practices, including recognizing phishing attempts and proper handling of sensitive information. Regularly update staff on emerging threats and attack vectors specific to the solar sector.

Incident Response Planning and Disaster Recovery: Create detailed incident response and disaster recovery plans tailored to the solar sector. Ensure that response procedures are in place to quickly isolate and mitigate attacks, minimize downtime, and restore normal operations.

Implement Dark Web Monitoring: Regularly monitor dark web forums, marketplaces, and other underground channels for stolen credentials, sensitive data, or discussions related to your solar infrastructure. Utilize threat intelligence platforms to detect compromised information early, allowing for proactive measures such as credential resets, system audits, and enhanced security protocols to prevent further exploitation.

Minimize Internet Exposure of Critical Systems: Restrict Internet exposure of critical solar monitoring and control systems by ensuring they are not directly accessible from the public internet. Use secure gateways, VPNs, and access controls to shield critical assets. Implement strict firewall rules and regularly scan your network for exposed services to reduce the risk of unauthorized access.

References:

https://faq.isolarcloud.com/web_faq/manage/#/_en_US/a2
https://web3.isolarcloud.com.hk/#/login
https://en.sungrowpower.com/productDetail/987/cloud-platform-isolarcloud

https://ignitis.lt/sites/default/files/inline-files/saules-elektrines-su-sungrow-keitikliu-naudojimosi-ir-eksploatavimo-instrukcija.pdf

The post Solar Monitoring Solutions in Hacktivists’ Crosshairs appeared first on Cyble.