The gang targeting America’s grid now says it’s coming for Canada
A notorious ransomware gang has listed Spark Power as a victim, claiming to hold 222GB of stolen data. However, so far, it has provided no evidence to support its claims.
Qilin, the cybercriminal gang behind the alleged ransomware attack, has listed Spark Power, a Canada-based electrical services company with active operations in the US, as a victim on its leak site on the dark web.
This is a common technique used in ransomware attacks, where threat actors post a company's information as a warning to pay a ransom before the stolen data is leaked on the dark web.
The post appeared on November 15th. The attackers claim to possess 222GB of the company’s data. However, at this stage, they have not provided any data samples to back up their claims.
Without data samples, it is unclear what kind of data attackers might have stolen from the company’s network. Although the dataset is large in size, it may encompass a wide range of data, which can cause varying levels of damage when exposed to the public.
“In theory, these could be routine business files, operational documents, possibly financial or employee personal data,” commented Cybernews researchers, who commonly investigate the data stolen during ransomware attacks.
“For a company like Spark Power, which provides electrical contracting and operations-and-maintenance services, a ransomware attack can cause significant operational disruptions, because it handles scheduled maintenance, emergency repairs, equipment commissioning, and ongoing monitoring,” our researchers explained.
“If its systems are locked, this can delay inspections, slow down repairs, or postpone other critical operations.”
Spark Power has not yet publicly announced any cybersecurity incident. Cybernews has reached out to the company for confirmation, but a response has yet to be received.
Qilin targeting US electrical providers
In October, Qilin targeted two US electrical providers in Texas, threatening US critical infrastructure, which is a national security priority.
One of the alleged victims was San Bernard Electric Cooperative, which has approximately 3,900 miles of electrical distribution lines serving approximately 28,000 households in eight Texas counties, including Austin, Colorado, Fayette, Grimes, Harris, Lavaca, Montgomery, and Waller. The company’s annual revenue reaches $92.5 million.
Another target was Karnes Electric Cooperative, which operates nearly 5,000 miles of lines and serves 23,000 households in 12 counties. The company’s annual revenue is $75.8 million.
Among the stolen data samples were internal documents, exposing incident reports, financial and budget reports, employee data, and other sensitive data.
What is Qilin ransomware?
The Qilin gang first appeared on the ransomware circuit in 2022, but its dark leak site claims it began operating in 2021. With links to Russia, the gang has been known to target hospitals and the manufacturing sector.
Qilin is one of the most active ransomware gangs in the past 12 months. In total, the gang has listed roughly 995 victims since 2023, according to Cybernews' Ransomlooker monitoring tool.
This month, Qilin listed Habib Bank AG Zurich, a Switzerland-based bank, as a victim and claimed that it stole more than 2.5TB of data and nearly 2 million files. The bank’s operations span Switzerland, the UK, the UAE, Hong Kong, Kenya, South Africa, and Canada.
In October, Qilin formed an alliance with the notorious Russia-linked gang LockBit and DragonForce. Experts believe that the alliance between LockBit, Qilin, and DragonForce could lead to improved tactics and an increased volume of attacks through shared resources.In the same month, Qilin claimed to have exfiltrated data from MedImpact, a large US pharmacy benefit manager.
Earlier this year, in April, the gang conducted an infamous ransomware attack on SK Telecom. The attackers claimed to have stolen 1TB of data.
Qilin also claimed responsibility for a cyberattack on Asahi Holdings, Japan’s largest brewer. The attack disrupted operations and caused a shortage of the country’s most popular beers, soft drinks, and cold teas.
In August, Nissan’s Creative Box design studio in Tokyo was attacked by the group, which claimed it had stolen 4TB of sensitive design data. The Japanese automaker giant has now confirmed a breach of its network in a public statement.
The gang also claims to be behind a breach of the California Golf Club of San Francisco, considered one of the nation’s most exclusive members-only golf clubs, and a favorite of Silicon Valley execs. The gang allegedly stole 10GB of its members’ data.
The gang is also behind the infamous attack on NHS partner Synnovis Laboratories. The attack had devastating consequences, as hospitals were immediately forced to divert patients to other facilities and cancel over 10,000 appointments, elective procedures, and surgical operations, including all transplant surgeries, due to a lack of blood transfusions.
Unlock more exclusive Cybernews content on YouTube