Russian hackers disrupt Dutch wind farms: how vulnerable is our power grid?

A Russian hack at a German wind turbine manufacturer in 2022 also affected Dutch wind turbines. Some were idle for months, including those at wind farm Oude Maas. This is a reconstruction of how Europe's most wanted criminals carried out a hack with potential risks to the power supply on our continent. What about the cybersecurity of our critical infrastructure? And who is monitoring it?

In February 2022, just one day after the Russian invasion of Ukraine, hacker group Conti posted two messages on its website. Usually, these are business announcements such as ‘we are extorting company network X or Y’, but after the invasion, the digital messages changed: Conti supports the Kremlin and threatens to attack the critical infrastructure of countries thwarting Russia. This includes banks, drinking water or electricity companies.

Conti is the only major conglomerate within the Russian cybercriminal elite that is politically engaged. The collective is part of a larger cybercriminal network called Wizard Spider, a kind of digital matryoshka of hacker groups mainly operating from Russia with obscure names such as Ryuk, Emotet, IcedID and Trickbot.

Conti keeps their promise: six weeks after the digital scribbles, a ransomware attack paralyses the computer network of German wind turbine manufacturer Nordex. In a ransomware attack, cybercriminals send a seemingly normal email with a link. However, clicking on the link activates malicious software ‘opening the door’ for attackers. They steal information, lock the computer network and demand a ransom to make the network accessible again.

Nordex's computers are connected to thousands of wind turbines around the world

Nordex is among the top European companies in in the onshore wind industry. The multi-billion-dollar company currently maintains 12,800 wind turbines with a total capacity of 41 gigawatts (GW). According to figures from the industry organisation WindEurope, Nordex has a European market share of over 10% in 2024. Nordex supplies to forty countries worldwide, sixteen of which are in Europe. The turbine manufacturer's wind turbines are also located in the Netherlands.

According to Nordex’s spokesperson, 70% of their customers use Nordex maintenance services. For this purpose, the company for example collects information about cooling, vibrations, speed and noise. Therefore, computers at Nordex are connected to thousands of wind turbines worldwide. These in turn are connected to the owners; energy companies or cooperatives.

What happened during the hack at Nordex? What was the impact on wind farms? What did the authorities involved do? How much was known about Conti? Vers Beton and Small Stream Media reconstructed the event.

'Hello, we are Conti group'

On the morning of March 31, 2022, IT employees report unknown activity on the Nordex network in the German port city of Rostock. Conti’s cybercriminals have infiltrated the network. They download more than 750 GB of sensitive company information, equivalent to millions of pages of Word documents. The stolen information includes data falling under European privacy legislation, such as personal data from various locations, according to documents from the privacy watchdog in the German federal state of Mecklenburg-Vorpommern.

Conti then encrypts the network. A digital note left behind gives instructions on how to reach them. The cybercriminals demand 17.5 million euros to make everything accessible again.

The hackers are demanding €17.5 million to restore access to the network

On April 2, Nordex writes in a press release the break-in was noticed at an early stage. Security experts try to prevent the spread of the ransomware. As a precaution, the entire IT network was shut down. The same day, the company reports the incident to the German authorities, including the cyber watchdog Bundesamt für Sicherheit in der Informationstechnik (BSI).

Ten days later an update follows. In order to protect all wind farms in operation, Nordex pre-emptively disabled external access to the company's IT infrastructure, including the systems in Germany monitoring wind turbines elsewhere in the world. Despite the intervention, the existing wind farms continue to generate energy. Communication between them, grid operators and energy traders is not interrupted. The attack only affects the company network.

Nordex refuses to pay the 17.5 million ransom, after which Conti publicly announces the hack in mid-April. While the hacker group explicitly reports it concerns a ransomware attack, Nordex itself never mentions the type of attack openly. Not even in the annual figures or other public documents for investors and shareholders. It is only a ‘cyber incident’.

Hoeksche Waard

The ransomware attack has cross-border consequences, since the Netherlands also is affected. Near Rotterdam, wind farm Oude Maas experiences problems. The brand-new park in the Hoeksche Waard consists of five wind turbines on the banks of the river Oude Maas, opposite Barendrecht, and is about to start producing green energy for 24,000 households. However, the hack at Nordex throws a spanner in the works. Instead of a danse à deux with the wind, the turbines stand still between the waving willows in the polder landscape along the steadily flowing water. Due to the hack, Nordex is unable to install the latest software updates to adjust the cooling and speed, among other things. The opening of the wind farm Oude Maas has to be postponed.

The consequences of the ransomware attack are cross-border. The Rotterdam region has also been affected

In addition to the software problems, turbine parts are also missing. Nordex did not know where the last turbine parts were, says Ronald Kloet, director of Renewable Factory, which owns wind farm Oude Maas together with Eneco. The wind farm cannot start until these problems are resolved. The damage amounts to several hundred thousand euros. "This costed the Netherlands green energy," says Kloet, "and us a penny."

It takes months before everything is in order again. Just like with two other new Dutch wind farms: Spuisluis on the North Sea Canal and Bommelerwaard A2 south of Zaltbommel, which also postpones completion until mid-April 2022. It causes stress for the initiator of wind farm A2, Hein de Kort: "We already had to pay interest and instalments and had a delivery obligation to [red. energy company] Greenchoice." In turn, Greenchoice has obligations to its customers as well, but because the wind farm cannot supply power, the energy company has to buy power on the daily market. De Kort: "That is often expensive. Ultimately, the consumer pays the bill." The same applies to wind farm Oude Maas; it also has delivery obligations.

At the end of July 2022, wind farm Spuisluis near Tata Steel also reports a postponement. Spuisluis is partly owned by Eneco, which confirmed completion was delayed due to ‘an incident’ at Nordex. The energy supplier does not want to confirm whether it was a ransomware attack and whether it has held Nordex liable for the damage suffered. “That is between Nordex and Eneco.”

International problems

The ‘cyber incident’ means Nordex’s corporate network needs to be replaced. Financial figures are inaccessible. As are their sustainability data. Nordex misses the deadline for the first-quarter figures of 2022, whereupon the German stock exchange drops Nordex from two technology exchanges until mid-September. Shareholders lose money, profits evaporate and Nordex fears red figures.

The production of turbine components in Rostock was at a standstill for weeks. Spanish factories in the province of Navarra are also affected. Nordex struggles to ship products from Turkey to Central Europe. There is a shortage of components such as chips and cabinets. Information about the disruption at European wind farms remains shallow. There were mainly start-up problems for new wind farms, most of them in Germany. Nordex says nothing about the Netherlands.

Sometimes ransomware groups overlap with governments, or they work together

The Rotterdam grid operator Stedin calls cyber-attacks a major risk to affordable sustainable energy and the energy transition. “Hackers controlled by countries and cyber criminals are one of the culprits,” Stedin writes in its 2022 annual report. Preceding this, the Dutch General Intelligence and Security Service (AIVD) had already been warning for some time. In 2019, the service reported a “cross-pollination with criminal attack tools, with countries using ransomware in digital sabotage attacks.”

The Dutch National Coordinator for Terrorism and Security (NCTV) considers ransomware a risk to national security. Without naming names, the organization wrote in 2021: “Sometimes ransomware groups overlap with governments. Or they work together.” It is a source of concern.

However, Dutch politics did not take immediate action after the ransomware attack. In mid-August 2022, then Minister of Climate and Energy Rob Jetten responded reassuringly to parliamentary questions from Joost Eerdmans (JA21) about the hack. According to Jetten, there was nothing to worry about, because already operational wind farms continued to supply energy. “The digital attack on Nordex affected the office automation and had no impact on the hardware that has access to the control of the wind turbines,” he replies. “Nordex is merely a supplier to the wind farm [Oude Maas, ed.].”

Conti is a Russian hacker group with close ties to the Kremlin

Jetten only mentions wind farm Oude Maas. He does not have an overview of cyber-attacks on the wind energy sector. Strange, because it is already known that more new Dutch wind farms with Nordex wind turbines are experiencing problems.

Jetten does not answer Eerdmans’s question about the perpetrators behind attacks on systems and networks of Dutch wind turbines in 2022. He does not have information on this matter. In Belgium however, MP Tom Ongena knows more at the beginning of September 2022. The consequences for wind farm Oude Maas inspire him to ask questions in the Senate about the safety of Belgian wind turbines. Based on the current state of events at the time, he calls "Conti a Russian hacker group with close ties to the Kremlin." Apparently, this information is unknown to Dutch authorities such as the NCTV, the National Cyber ​​Security Center (NCSC) and the Ministry of Justice and Security when they read along with draft versions of the answers to the parliamentary questions in July and August 2022.

Worst case scenario

In 2021, the NCTV recognizes the danger of ransomware for industrial control systems: “If access to process automation is via office automation, this enables the attacker to also reach critical processes in order to install ransomware.” In other words: ransomware can reach and paralyze the control of, for example, wind turbines via office automation. This is at odds with Jetten's reassuring statements in response to parliamentary questions in mid-August.

Because Nordex shuts down the computer network from the outside world as a precaution, they prevent the worst case scenario. If the ransomware had reached the control software and turbines had failed, this would have directly affected the European electricity grid. The grid can absorb the lost power from one wind farm, but if multiple wind farms of a major player such as Nordex fail at the same time, the chance of blackouts increases.

Research by cybersecurity expert Willem Westerhof of cybersecurity company Secura gives an idea of ​​what is needed for this to happen. In 2017, he investigated the effect of the sudden failure of large amounts of solar energy on the European grid. What did he find? If 3 to 5 GW of power fails, a serious calamity occurs, such as a – local – blackout. To illustrate: 3 to 5 GW is equivalent to 3 to 5 large power plants supplying approximately 3 to 5 million households with electricity.

Public transport came to a standstill, planes remained grounded, and emergency services experienced communication problems

Three ‘ordinary’ incidents support Westerhof’s findings. The first occurred in the winter of 2021, when the European electricity grid nearly crashed. A difference in supply and demand of 5.8 GW forced the European grid operator ENTSO-E to take emergency measures. During Christmas, the warm weather on the Balkans caused a lower than usual demand for electricity, while a colder period in northwestern and central Europe caused demand for electricity to increase. This difference in supply and demand led to an imbalance in the European grid. The reserve capacity of the electricity grid was insufficient, and eventually the northern and southern parts were split. An unusual measure, but this way ENTSO-E prevented power outages throughout Europe.

Then last summer. A power loss of 2.2 GW on the South-East grid led to a (partial) blackout in Albania, Bosnia-Herzegovina, Montenegro and Croatia. Although no domino effects within Europe took place, air conditioning failed en masse in the middle of a heat wave of 40 degrees plus on the Balkans. Traffic lights stopped working, resulting in traffic chaos. Restaurants, bars and supermarkets closed their doors. Pumps could no longer draw water. The city of Sarajevo, among others, was completely without power for hours. The consequences of the large-scale power failure on the Iberian Peninsula last April are similar. Public transport came to a standstill. Airplanes were grounded. Emergency services experienced communication problems. The chaos seemed to be caused by a power loss of 2.2 GW, possibly involving solar panels. The investigation into this incident is still ongoing.

At the end of 2021, Nordex owns around 17 GW of onshore wind power in Europe, equivalent to 17 large power plants capable of supplying 17 million households with electricity. Given the examples above, enough assets to cause serious problems if they suddenly stop producing energy.

Passwords lying around

Westerhof wouldn't bet his life on the fact that hackers can't do any harm via office automation: "You could find information about the control of industrial installations. For example, there's a list of passwords lying around somewhere, or you could come across information about employees allowing you to send targeted phishing emails to later penetrate the company's operational technology."

Stolen data is considered a data leak. If personal data such as passwords or employee information is stolen, companies must report this to responsible privacy authorities. The report filed by Nordex at the privacy watchdog of the German state of Mecklenburg-Vorpommern shows Conti stole personal data from Nordex employees from various countries, including copies of identity cards. It remains unclear what other privacy-sensitive data is involved; much information has been blacked out.

In the years following the hack, Nordex takes additional cybersecurity measures. It isolates the access to their wind farms from the backbone network through a series of mechanisms and redundant firewall solutions. The spokesperson states that during the ransomware attack, “there was no risk to the operational systems at any time.” According to him, the computer networks monitoring and managing wind turbines are divided into parts and are isolated from each other. Think of fire doors, which prevent the ‘fire’ from spreading to other parts of the network in the event of a cyberattack. According to the spokesperson, the existing cybersecurity certificate (ISO 27001) underlines the company’s cybersecurity.

“When I read the measures taken, I see they are implementing industry best practices [generally accepted adequate security standards, ed.]. This also means before that they clearly did not have their affairs at the desirable level of maturity,” writes Roland van Rijswijk-Deij in response to the measures. The professor of Internet Security and scientific director of the Twente University Centre for Cybersecurity Research continues: “They had a big wake-up call.”

A jumble of supervision

The Netherlands has a jumble of organisations involved in cyber security. From the government, the NCTV coordinates the digital resilience of the Netherlands, in cooperation with the AIVD, the Dutch Military Intelligence and Security Service (MIVD) and the NCSC. The National Digital Infrastructure Service (RDI) is the national cybersecurity watchdog. It monitors cyber security at organisations.

After the hack, the NCSC spoke to various energy companies indirectly affected by the incident. Furthermore, there was contact with relevant national and international parties to be able to make threat assessments for the Netherlands. The spokesperson for the NCSC – also the spokesperson for the NCTV – points to the German authorities as the responsible authorities for investigating the ransomware attack. Apart from reading along during the answers to the parliamentary questions, the NCTV has no active role and also refers to our eastern neighbours.

The AIVD does not respond substantively to questions, since they are about the service's working methods, level of knowledge and partnerships with other services. What the spokesperson can say is the AIVD "investigates activities of state actors", such as Russia and China.

The RDI is responsible for monitoring critical processes within the energy sector. The service checks whether companies are properly securing their network and information systems under the motto: prevention is better than cure. The RDI also looks at risks of major social and economic damage, so-called systemic risks. According to the RDI, the Nordex incident can be classified as a potential systemic risk, because Nordex is one of the four major wind turbine suppliers in Europe. An incident there can have major effects elsewhere, for example a power failure possibly spreading to banks or payment systems.

The safety of Dutch wind farms depends on foreign supervision

But in the assessment of the Nordex hack, the disruption of power production is leading. Existing wind farms continued to produce energy, so further Dutch investigation was deemed unnecessary. Because Nordex's headquarter is in Germany, the German cyber watchdog is responsible for enforcing European cyber legislation and the investigation. In other words, the BSI is responsible for supervising the cyber security of critical processes within the German energy sector. Even when these cross borders. This makes the security of Dutch wind farms dependent on foreign supervision.

The German cyber watchdog BSI does not automatically share the results. “National supervisors still rarely cooperate in the supervision of European companies operating across borders,” explains Jasper Nagtegaal, director of Digital Resilience at the RDI.

Inquiries with the German cyber watchdog lead to a surprise: “The BSI was not closely involved in the incident, which was reported voluntarily.” An incident only needs to be reported if it leads to, among other things, a certain number of hours of power outage affecting a certain number of households. Because the hack at Nordex did not meet this requirement, no one investigated it further. The RDI finds this problematic: many incidents are missed, meaning nothing is learned from them. This is the reason why the Dutch cybersecurity watchdog tries to persuade companies to also discuss minor incidents with them.

Furthermore, the BSI states: “The victim [Nordex, ed.] is not subject to regulations on critical infrastructure in Germany.” Put differently, despite the fact Nordex has a connection to 70% of the operational wind turbines for maintenance, it is not supervised by the German cyber watchdog BSI, which refers to Nordex itself for explanation. This is striking. Even more striking, unlike Nordex, another German company which also maintains wind farms worldwide, Deutsche Windtechnik, appears to be classified as critical infrastructure. The BSI does not answer questions about which specific companies are vital infrastructure for security reasons.

Ironically, Deutsche Windtechnik proudly announced on its website in June 2024 it had survived the first BSI inspection. However, on April 11, 2022 – less than two weeks after the attack on Nordex – a ransomware attack hit the maintenance company, preventing it from remotely reading information from over 2,000 turbines for two days. The culprit? Black Basta, a spin-off of Conti, which split into new hacker groups within the Wizard Spider network in the spring of 2022.

Dark marriage

A state actor would work in silence and not encrypt the network, says Tim Philip Schäfers, a German cybersecurity expert, about the Nordex hack. Nevertheless, he does not rule out interest in the stolen information from foreign intelligence services. This risk is the great unknown in the story.

As early as 2017, Alexander Klimburg, then program director at the Hague Center for Strategic Studies (HCSS), pointed out the relationship between the Russian Federal Security Service FSB and cybercriminals. According to Klimburg, the dark marriage has existed since 2007. It is a constant in Russia's offensive cyber program, he writes. The Estonian foreign intelligence service shares the same opinion in its 2018 annual report. Chat messages from hacker group Conti leaked via Twitter at the end of February 2022 also point to ties with the Kremlin. This information was known well before Jetten answered the parliamentary questions.

Europol placed the Nordex hackers on its most wanted list in May 2025

Wizard Spider's senior management has ties with the FSB, the former KGB. Wizard Spider members meet in FSB offices. Among others, the FBI is even more explicit in October 2024 stating a certain Vitaly Kovalev has a relationship with Russian Intelligence Services and other notorious cybercriminals working for the Kremlin. Kovalev is involved in Trickbot and Conti, both part of the Wizard Spider ecosystem. It is a reason for Europol to put Kovalev on the international wanted list last May, together with other Russian hackers connected to Wizard Spider.

In exchange for protection, networks like Wizard Spider provide a talent pool for state operations, Stanford University research shows. Ransomware attacks are politically motivated. The researchers conclude: Russian groups like Conti increase the number of ransomware attacks ahead of elections in major democracies. The paralyzing effect on Western companies fits Russia’s geopolitical interests. Taken together, ransomware threatens the national security of Western countries, they write.

International law enforcement agencies have been joining forces for years to combat cybercrime. The High-Tech Crime Team of the Dutch police and the Public Prosecution Service in Rotterdam did not provide any clarity on whether the ransomware attack at Nordex is part of the investigation. But the police and the Public Prosecution Service in Hamburg do investigate the hack, they say. And the hunt for the Wizard Spider network? That is still ongoing. The cold east wind battering the sleek steel of windmills that contrast with the irregular shapes of ash trees and willows along the river Oude Maas, subduing its swirling water, does not only generate energy. Cyber ​​risks also blow from this direction.

This article is a collaboration between Small Stream Media and Vers Beton and was made possible with the support of the Dutch Fund for Special Journalistic Projects and JournalismFund Europe.

About this research

In addition to the persons and institutions mentioned in the article, we asked questions to sixteen other sources. Due to the sensitivity of the information, many were unable or unwilling to answer or only in general terms. We also combed through piles of public documents such as annual reports, reports, press releases or the answers to parliamentary questions. In the Netherlands, we made three Freedom of Information requests that yielded little due to the security of organizations and systems.

The AIVD gave a general response to 19 specific questions. The service did not want to confirm or deny they looked into the incident with colleagues from the German security service. Questions about this were not answered. The same applies to the NCSC (26 questions) and the NCTV (25 questions). The High-Tech Crime Team of the police did not respond to our 14 questions. Eneco was asked 17 questions, after which a general response followed. All Dutch authorities point to Germany, because that is where the Nordex head office is located.

We initially asked the German cyber watchdog BSI 30 questions. None of them were answered, and follow-up questions were answered summarily. Nordex gave a general response to our 47 questions. They did not want to grant our request for an interview. The German Public Prosecutor's Office in Hamburg was also uncooperative. In Germany we made two Freedom of Information requests. One to the BSI, but this was rejected for security reasons.

The British National Crime Agency did not provide a substantive response. As did the British NCSC, the Foreign, Commonwealth & Development Office and the US Treasury, all involved in the US-British investigation into members of Wizard Spider. The researchers from Stanford University also did not want to provide a substantive response to our 16 questions about their investigation.