HSE, Slovenia's largest power utility, has been targetted by a serious cyberattack that officials have said has since been brought under control as functionalities of the IT system are being restored.

The incident, which started late on 22 November and escalated in the night to 25 November, has not jeopardised production or supply of electricity.

"Key power station operation and trading systems are operational, the connection to the national grid operator has been restored and there are good prospects that a smooth operation of the entire communications and IT infrastructure will be restored without major negative consequences," HSE said on 27 November.

The company denied media reports of a temporary outage in a high water level alarm system and temporary inability to trade in electricity, one of the group's key activities apart from electricity production.

"We would like to emphasise that HSE had the power stations of the HSE group under control at all times, and safety has also been ensured, with the high water alarm system also working without disruption," HSE director general Tomaž Štokelj was quoted as saying.

"Electricity trading has not been interrupted and is ongoing, but as a precautionary measure we have slightly limited the execution of individual transactions," he added.

HSE has been working on the problem with in-house teams and external experts. The police have been informed, as has the National Security Council given that energy is classified as critical infrastructure.

Cause of incident not clear yet

The news portal 24ur reported on 25 November that the attack was "substantial" and that the attackers had penetrated the security and control system as well as fire alarms.

Speaking to reporters on 26 November, he said it was too early to say what the source of the incident was or who was behind it.

Both Svete and HSE have said there has been no demand for ransom with HSE denying a report by TV Slovenija on 27 November that the hackers demanded a ransom of one million of euros.

The information gathered so far, including from HSE, suggests the attack was carried out from the outside. "From this point of view, it's a pretty classic cyber incident," Svete said.

He reiterated several times that HSE tackled the problem by the book. He said the country's cyber defence stakeholders coordinated to prevent potential spread of the incident to other systems.

Cross-sectoral impact of the incident has not been detected, the incident has not escalated and there has been no new incident, he said on 27 November.

HSE expects no major damage

"Based on what we've seen we can be optimistic that there will be no major consequences either in terms of system security or the impact on the company's business performance," HSE director general Štokelj assessed on 26 November.

But Svete noted that every cyber-attack has a huge financial impact. "Even if the attackers don't claim ransom, an army of outsourced IT professionals is not cheap, and instead of being focused on its core business the company is busy dealing with the attack and finding holes through which it could have been penetrated."

HSE operates the Šoštanj thermal plant, which accounts for around a third of domestic electricity production, as well as chains of hydro plants on the Drava, the Sava and the Soča. The group accounts for roughly 60% of domestic electricity production.

The group also acts as an energy trader in more than 20 European countries, selling the power it produces to its clients on the national and European wholesale markets, and trading in electricity and derivatives and related products at various energy exchanges across Europe.

One of the biggest hack attacks

The attack is considered one of the biggest such incidents in Slovenia's history. Apart from IT and cyber security experts, the national intelligence agency SOVA and the Defence Ministry's security and intelligence service are looking into the background of the incident.

Slovenia has seen quite a few cyber attacks in recent years, most recently the Foreign Ministry earlier this year in an attack that media reported had been executed by Chinese hackers who were only interested in documents related to China and Slovenia's policies on China.

The Defence Ministry and the police were targeted in a hacking attack in September 2022 but the ministry's system was not breached and only a few police computers were infected.

In August the same year, the information system of the Civil Protection and Disaster Relief Administration was the target of a cyberattack, which crashed the Spin web application before it was later restored. Due to the attack, operators had to manually enter incoming emergency calls into the system for some time.

Major incidents included a ransomware attack on Lekarna Ljubljana, Slovenia's largest pharmacy chain, in 2019 which temporarily incapacitated its information system and forced the chain to temporarily close for business.

Car assembly factory Revoz, the Slovenian subsidiary of France's Renault, had to suspend production during two shifts after being hit in a global cyber attack in 2017.

The broadcaster POP TV suffered a hack attack in February 2022 in which some personal data of individuals recruited for its shows, visitors to live shows, and personnel recruitment data had been breached.

SI-CERT, the Slovenian Computer Emergency Response Team, logged 4,123 cyber incidents in 2022, a third more than in 2021.