Photo: John Mencias, CEO – BEL
by Marco Lopez
BELIZE CITY, Thurs. July 20, 2023
Ransomware is a new type of malware – a computer virus that infiltrates networks and encrypts data in affected systems. It is used by hackers to siphon data and password-lock them—thus preventing the companies and individuals to whom such data belong, from accessing it. It is later used to seek a ransom from those companies or individuals (a payout in return for their being able to once again access their data) or to blackmail them in order to force them to send large payments to the hacker using cryptocurrency. It was thus disconcerting for many Belizeans to find out that the systems of the Belize Electricity Limited, the country’s national electricity provider, had been hacked by the cybercriminal group Ragnar Locker between March and May 2023. The group has an IP address that links back to Russia and is thus believed to be a Russian operation. They are claiming to have leaked 355 gigabytes of BEL’s organizational data, and the company this week confirmed that key customer and employee information is in the possession of the hackers and was leaked.
On July 13, 2023, the CEO of the Ministry of Public Utilities, Jose Urbina, reached out to BEL and informed the company that his Caribbean counterparts brought the data breach to his attention. The company’s CEO, John Mencias, in a press conference on Tuesday this week, said that they were first made aware of suspicious activity on the BEL system on March 31.
“It was unusual, and it was actually traced backed to an IP address from Russia,” Mencias told reporters. The telecommunications services department of the company moved immediately to block the IP address and took further action. But about a month and a half later, between May 9 and 15, further suspicious activity was detected.
“We actually then detected the presence of foreign actors in our network and took immediate action to remove these actors and to isolate the path of the system we felt was compromised,” Mencias said.
Prior to the breach, however, the company had undergone a robust round of system vulnerability exercises. As far back as 2020, BEL contracted a global cyber security firm to conduct a Penetration Test (Pen Test) – basically, they hired the company to try to hack their system. From those tests, shortfalls were found in the system’s security, and “several recommendations” were made to the company. Mencias pointed out that 95% of those recommendations were carried out.
Besides this, separate Incident of Compromise exercises were also carried out, to further detect any cases where BEL’s systems were compromised. Up to the first quarter of 2023, no incidents of compromise had been detected, and so the company was reasonably assured that the systems were protected, Mencias pointed out.
This was not so.
While the gaps found in the Penetration Test and Incident of Compromise exercises had been closed, those were not the means through which the hackers gained entry into the system, Mencias said. He further pointed out that the security consultants have indicated to him that, even if the 5% of gaps which were not dealt with in the first instance had been addressed, it would still have not prevented this hack.
Mencias further mentioned that no point of compromise has been identified.
It must be noted that before the notice sent from the Public Utilities Ministry CEO, some corporate managers of the company, namely CEO Mencias; General Manager of Finance and Business Support, Sean Fuller; and Jose Moreno, General Manager of Distribution Services, were sent an email purporting to notify the company of its system vulnerabilities. As per best practices in dealing with cyber criminals, Mencias said, the company’s incident response team and security consultant advised them not to respond to the email. This was on June 20 – about 5 weeks after the data breach and subsequent leak were confirmed.
The information which the company has told the public was leaked, includes Social Security numbers stored in customer applications, payroll information, conflict of interest disclosures, accident reports, and a slew of other documents. All the data leaked has not yet been confirmed. The company has pointed out, however, that, since they do not store banking or credit card information in their system, none of that information was leaked.
The company believes that only the Information Technology (IT) system was infiltrated and briefly compromised until the company succeeded in identifying and purging the ransomware in their systems. Deep scans were then done to prevent the hackers from going any further.
The cybercrime group Ragnar Locker seemed to have uploaded all the data extracted from the company’s system onto their website on the dark web. Anyone with access to that portion of the internet would thus be able to access that information stolen by the cybercriminals.
BEL’s security team has spent some time on the dark web to determine the extent of the data breach.
“We have a team of employees analyzing the data that we were able to get from the dark web,” Sean Fuller, CFO and General Manager of Finance and Business Support at BEL, said. He added, “Conflict of interest disclosures between BEL and its contractors and suppliers, property tax invoices, about 10,800 of customer new service application forms that have customer name, their telephone number, and their Social Security card information,” were shared.
Company information, including employee payroll data and several non-confidential and public documents, were also found among the leaked data that was uploaded on the dark web.
The company is now proposing to triple down its cyber security efforts. It has already hired a second cyber security firm, and is thinking of contracting a third. CEO Fuller further said that the outstanding 5% of gaps identified will be addressed.
As for the leaked customer information that can likely lead to the identity theft of thousands of Belizeans, the company has apologized and promised to get in touch with each person affected—customers, employees, and stakeholders—to disclose the full extent of their compromised personal information.
So far, no formal report of the cyber-attack has been made to the local police, Interpol, or the FBI. Only the Minister of Public Utilities and Energy – who is the National Data Protection Officer, Hon. Michel Chebat, and the National Security Directorate of Belize have received formal reports from the company.
As for the company’s confidence that its vital Operation Technology (OT) infrastructure – which is used to keep the lights on—was not compromised, both Mencias and Fuller confirmed that the network was not infiltrated. Mencias shared that there is an “industry-leading state-of-the-art firewall between the IT and OT system.”
The firewall between the customer service application and the IT system was the portion of the system security that was likely compromised, but a fixed point of origin has not been identified.
“Both networks are independent networks that we have some interfaces between them, or one interface between them that controls specific types of information that flows between the two networks. And I will tell you, the initial findings that alerted us are the systems that we have in place that we implemented after the Pen Test in 2020; that alerted us of some usual traffic that we saw coming from one network trying to access the OT network. It didn’t even get close to where it needed to get to infiltrate that network,” Fuller explained.
The hackers using Ragnar Locker ransomware wanted to get access to the OT system, so they could basically have the access needed to manipulate the electricity grid and disrupt supply. Thanks to the measures implemented prior to this cyber-attack, Fuller explained, they were unable to do so.
“The systems that we implemented said, ‘I see something unusual happening; take a look at this;’ and that is how we determined certain software that was not supposed to be in our system, and certain account elevations that were not supposed to happen on the system, and we were able to stop,” Fuller said.
“It controlled the electricity grid – automation, monitoring, and control of the grid,” CEO Mencias said of the OT system.
It is to be noted that besides the email that was sent to notify them of the compromised system, no correspondence has been made to demand a ransom from the company.
And while this is the case, for now, when it rains, it pours. Some hardware used by the company for the provision of online services to customers was damaged. Mencias claims that this was not a result of the cyber-attacks, but we note that the proximity of the two incidents on the overall timeline is glaring.
As a result of this, BEL has been unable to provide online bill payment and other online services to customers. On top of that, the joint partnership agreement between the electricity company and Belize Water Services (BWS) – allowing customers to pay both BEL and BWS utility bills at either of the two companies’ agents – was canceled by BWS abruptly this week.
While the company had indicated that the partnership may have ended in August of the year, it seems that these cyber-attacks against BEL have hastened the decision of the national water company to cut those particular ties with BEL.
BEL is now trying to roll out provisions to ensure that customers have access to pay their bills; for the first time in years their corporate office is opened for customers to do bill pay transactions. The company hopes that this will only be a temporary measure until its online system is back up and running.
BEL is coming off one of its most challenging months, given the heatwaves which caused record-breaking energy use and pushed grid capacity constantly to the edge – leading to a number of power outages. It now faces this new and unfamiliar threat, of a near full-scale cyber-attack, and losing one of its most longstanding and important partners for payment collection.
Despite these headwinds, CEO Mencias reassured the public that they will get past this.
“It’s been a difficult few weeks for BEL, and this is coming off the generation shortages in June, but, we’re the national electric utility; we are made of stern stuff; we are made to serve, and we will continue,” CEO Mencias said.