Cyber attack on TWL joins a worldwide series of attacks

  • Critical infrastructure becomes a prime target for cybercriminals
  • German energy supplier is latest victim in a series of many
  • Plant failure can be prevented by anomaly detection

Leipzig, 26 May 2020 - While the world remains in lockdown, cybercriminals and state-supported hacker groups are sniffing out their chance to disrupt critical services. In recent months, several cases have become known in which critical infrastructures have been targeted and put under pressure. »Presumably the cybercriminals see the system relevance of companies as a chance to fast ransom payments,« says Rhebo CEO Klaus Mochalski, assessing the wave of incidents. »Since ,the beginning of the year, we have observed a significant increase in attack activities. What they all have in common is that they very cleverly circumvent common installed security mechanisms.« 

In February 2020, the Cybersecurity and Infrastructure Security Agency (CISA) already pointed to the case of a pipeline operator in the USA.1 After unknown attackers brought IT to a standstill, they accessed the Operational Technology (OT) and disrupted the operational monitoring of the facilities. In April, the Association of European Transmission System Operators (ENTSO-E), which represents a total of 42 distribution system operators from 35 countries, fell victim to a ransomware attack.2 Two weeks ago, Elexon, which is of central importance for the regulation of the British energy market, followed suit.3 At the same time, the production of the hospital operator and medical technology manufacturer Fresenius Kabi in Norway was affected by the new Snake/Ekans malware.4

Germany is coming under the spotlight of cyber criminals

With Technische Werke Ludwigshafen (TWL), the latest victim of this wave of incidents is now located directly in Germany. The regional energy supplier fell victim to a phishing campaign back in February this year, which presumably involved ransomware from the Clop group. The ransomware is part of a strand of highly specialized malware, some of which is even available with a legitimate signature. As a result, common defence mechanisms, as used in firewalls and typical intrusion detection systems, can be circumvented.

»Operators of system-relevant infrastructures face the problem that their classic IT cybersecurity tools capitulate in the face of new and extremely cleverly programmed malware,« warns Klaus Mochalski. »These tools might be still sufficient against the majority of common-or-garden attacks. However, as soon as the attack deviates from known patterns and is well camouflaged like the ransomware used at TWL, the mechanisms are absolutely helpless. It is not for nothing that many energy suppliers in Germany are now reinforcing their standard mechanisms by a industrial network monitoring with anomaly detectionFor example, Stromnetz Hamburg, EWR Netz GmbH, Netz Leipzig and Mitnetz Strom protect their industrial control systems with the dedicated ICS solution and anomaly detection Rhebo Industrial Protector. »It is easy to detect known attack patterns«, adds Klaus Mochalski. »The challenge is to detect those malicious activities at an early stage that use a cloak of invisibility to infiltrate your network and give it free rein.«

Further information and use cases of end-to-end ICS monitoring with anomaly detection in critical infrastructures can be found at

About Rhebo

Rhebo is the only vendor-independent provider of industrial monitoring solutions ensuring both cybersecurity and stability of ICS and IoT infrastructures. The German company’s solutions monitor all communication within the ICS and on distributed critical IoT devices. Any attacks, vulnerabilities as well as technical error states are reported in real-time. Thus, Rhebo vendor-neutrally supports  industrial, energy and water companies to increase cybersecurity, productivity and availability of their systems and plants to safeguard their digital transformation. 

In this role, the company is partner of the Alliance for Cyber Security of the Federal Office for Information Security (BSI), is actively developing standards and technical guidance in the Teletrust - Bundesverband IT-Sicherheit e.V. and the Bitkom Security Management Working Group.

Contact Rhebo

Kristin Preßler
Tel. +49-341-393-790-180