Hackers claim attacks on Texas electric co-ops

Hackers claim to have breached Texas electric power cooperatives, exposing sensitive financial documents.

Qilin, the cybercriminal gang behind the alleged ransomware attacks, has listed two Texas electric distribution cooperatives as victims on its leak site on the dark web.

One of the alleged victims is San Bernard Electric Cooperative, which has approximately 3,900 miles of electrical distribution lines serving approximately 28,000 households in eight Texas counties, including Austin, Colorado, Fayette, Grimes, Harris, Lavaca, Montgomery, and Waller. The company’s annual revenue reaches $92.5 million.

Another target is Karnes Electric Cooperative, which operates nearly 5,000 miles of lines and serves 23,000 households in 12 counties. The company’s annual revenue is $75.8 million.

The allegations are extremely troublesome, as the companies are part of the US critical infrastructure, meaning that protecting them is a national security priority.

Texas electric cooperatives ransomware — Screenshot of data samples linked to San Bernard Electric Cooperative

What data was stolen from Texas electric providers?

On its leak site, the gang provided data samples of stolen data allegedly belonging to victims. This is a common technique used in ransomware attacks, when threat actors post data samples as a warning to companies to pay the ransom.

Cybernews researchers investigated the samples that Qilin claims belong to San Bernard Electric Cooperative. Among the documents were:

First incident reports, containing full names, phone numbers, and incident details
Yearly budget reports
Insurance documents
Rate-case expense reports
Invoices from other companies
Labour and equipment expense reports
Right-of-way easement contracts

The post on the dark web linked to Karnes Electric Cooperative includes samples with data that exposes:

Board directors’ list – their names, addresses, contact information
Financial documents, such as income and expenses balance reports, and daily financial operation documents
Organization members’ data, including names, addresses, and zip codes

It’s still unverified if the data is legitimate, as it is not uncommon for ransomware gangs to resurface older data from previous breaches, claiming a new breach.

However, if the data proves legitimate, it could have security implications for the companies. Apart from showing that critical infrastructure is vulnerable to cyberattacks, it could also put companies' reputations and business processes at risk.

“Exposed financial data could reveal pricing strategies, cause loss of trust, or competitive disadvantage. Revealed incidents could indicate service quality issues,” said Cybernews researchers.

“PII can be used for identity theft, harassment, and targeted social engineering, especially for board directors.”

Cybernews has reached out to the companies for confirmation, but a response is yet to be received.

What is Qilin ransomware?

Qilin is a big name in the ransomware landscape. With links to Russia, the gang has been known to target hospitals and the manufacturing sector. The Qilin gang first appeared on the ransomware circuit in 2022, but its dark leak site claims it began operating in 2021.

With more than 88 victims listed since just the beginning of September, Qilin has moved into the number one position as the most active ransomware gang in the past 12 months, after today, targeting roughly 585 victims, according to Cybernews' Ransomlooker monitoring tool.

Qilin aggressively outperformed ransomware rivals Cl0p Play, INC Ransom, and Akira. After January 1st, 2025, Qilin claimed more than 500 attacks.

In April, the gang claimed a ransomware attack on SK Telecom. The attackers claimed to have stolen 1TB of data. At the end of April, SK Telecom informed customers and started a free SIM swap service for all its customers.

Qilin also claimed responsibility for a cyberattack on Asahi Holdings, Japan’s largest brewer. The attack disrupted operations and caused a shortage of the country’s most popular beers, soft drinks, and cold teas.

In August, Nissan’s Creative Box design studio in Tokyo was attacked by the group, which claimed it had stolen 4TB of sensitive design data. The Japanese automaker giant has now confirmed a breach of its network in a public statement.

The gang also claims to be behind breach of the California Golf Club of San Francisco, considered one of the nation’s most exclusive members-only golf clubs, and a favorite of Silicon Valley execs. The gang allegedly stole 10GB of its members data.

The gang is also behind the infamous attack on NHS partner Synnovis Laboratories. The attack had devastating consequences, as hospitals were immediately forced to divert patients to other facilities and cancel over 10,000 appointments, elective procedures, and surgical operations, including all transplant surgeries, due to a lack of blood transfusions.

Recently, the notorious Russia-linked gang LockBit formed a coalition with DragonForce and Qilin ransomware. Experts believe that the alliance between LockBit, Qilin, and DragonForce could lead to improved tactics and an increased volume of attacks through shared resources.