A Russia-linked ransomware gang has claimed it breached a US electric cooperative, raising fresh concerns that cybercriminals are once again circling critical power infrastructure.

The Russia-linked ransomware group Qilin is behind the alleged attack, after it posted the claims of breaching Tennessee Valley Electric Cooperative (TVEC) on its dark web site.

TVEC is based in Savannah, Tennessee, and provides electric service to customers in Wayne and Hardin Counties in West Tennessee via 2,000 miles of electric grid.

The cooperative is a member of the Tennessee Valley Authority (TVA) public power partnership network, a federally owned electric utility corporation that serves the broader Tennessee Valley region.

So far, it is not known which data might be affected by the attack or what the scope of the cyber incident is. Cybernews has contacted the company but has not yet received confirmation regarding the cyber incident.

What we know about the attackers

First identified in 2022, the gang has recently hit a nerve in the aviation industry. In February, the gang targeted Malaysia Airlines.

The attack follows a cyber incident on Tulsa International Airport, which ended with Qilin posting more than a dozen leaked files, including internal operations documents and executive and employee data.

With links to Russia, the gang has emerged as the most active ransomware gang of 2025. Among the biggest data heists in 2025, Qilin conducted an infamous ransomware attack on SK Telecom.

It also claimed to have exfiltrated data from Habib Bank AG Zurich, MedImpact, and Volkswagen Group France.

Other high-profile attacks included Japan's Asahi Holdings, digital gaming giant International Game Technology (IGT), US newspaper group Lee Enterprises, and Nissan Japan's design arm.

In total, the gang has listed roughly 1455 victims since 2023, according to Cybernews's Ransomlooker monitoring tool.

US critical infrastructure under attack

It’s not the first time Qilin has targeted US critical infrastructure. Last year, two Texas electric distribution cooperatives became the victims of an alleged attack.

One of the victims was San Bernard Electric Cooperative, which has approximately 3,900 miles of electrical distribution lines serving approximately 28,000 households in eight Texas counties.

Another target was Karnes Electric Cooperative, which operates nearly 5,000 miles of lines and serves 23,000 households in 12 counties.

Later, the gang claimed Spark Power, a Canada-based electrical services company with active operations in the US. The gang claimed to have stolen 222GB of the company’s data.

What could be at stake this time?

So far, the gang has only listed the company’s name on its leak site, where it publishes the names of all the victims. That’s a common tactic used by ransomware gangs to put pressure on victims.

As no data samples have been released, this might be the initial step in an extortion scheme. Attackers later release the data sample, or, if negotiations fail and the victim refuses to pay ransom, they publicly drop the entire stolen dataset.

“Qillin did not post any samples in their blog, so it is not clear what data they allegedly have,” Cybernews researchers explained.

“If there are any power grid infrastructure or operational procedure details in the gang’s hands, this data would provide awareness of how their internal systems work, which can result in more planned and targeted cyberattacks.”

Based on previous attacks, the gang may have exfiltrated organizational data, such as internal documents, customer, or employee information. If that proves to be correct, this could result in fraud and social engineering attack risks.

---

Unlock more exclusive Cybernews content on YouTube.