The intelligent building of the Empresas Públicas de Medellín has been practically empty since Monday night because a cyberattack took all the information from EPM’s computers. The almost 4,000 company workers who attend the main headquarters woke up on Tuesday to the news that they had to work from home, as in the most feared times of the covid, because their servers had been taken over by a virus.
The virus is called ransomware. It consists of infecting equipment and systems to hijack your information and block or encrypt its use. Like the covid, ransomware is also contagious, it begins its propagation chain with a zero patient. That is, it takes over a user’s information and then infects everyone with whom it shares the same network.
The next step is to charge the victim an extortion —almost always in cryptocurrencies— in exchange for the release of the systems or under the threat of leaking the data through the Deep Web or Dark Web, the dark and clandestine side of the Internet.
All this was what happened to EPM, which at dawn on Tuesday —a day before the first two Hidroituango turbines generated energy for the first time— no longer had a website, mobile application, payment gateway or intranet. In addition, many of the computers that were connected to the smart building network did not turn on or were blocked. In a brief statement of just two paragraphs, that morning they reported that they had had a “cybersecurity incident”, which is why they had sent their employees home and assured that the situation had “no affect on the adequate provision of public services of energy, water and gas”.
However, everything seems to indicate that the consequences of the attack and the kidnapping of information are on a large scale. After four days, most of the company’s technological services are still sequestered and the workers continue in their homes.
On Wednesday morning it was learned that the Prosecutor’s Office opened a preliminary investigation to find those responsible for the cyberattack. The same Francisco Barbosa Prosecutor’s Office was the victim of a very similar event in August of this year when a group of hackers seized the emails of thousands of officials, in which there was sensitive information on operations and investigations of corruption, homicides and sexual abuse. , which were made public last month. It is the largest hack that a state institution has suffered in Colombia: it is estimated that five terabytes of information were stolen. The Prosecutor’s Office told this newspaper that the size of the theft of information from EPM would be 15 teras, triple.
Likewise, the investigative body acknowledged its concern regarding the increase in cyberattacks in the country. More than two weeks ago, EPS Sanitas —with almost five million affiliates in the country— suffered an attack once morest its technological infrastructure from which it has not recovered; most of their online services are still down. Apparently the hackers kept critical patient information such as medical records.
The same Prosecutor’s Office confirmed that the cybercriminals requested a reward in exchange for the release of the seized and encrypted information. Edna Patricia Cabrera, in charge of the Specialized Directorate Against Computer Crime, told EL COLOMBIANO that, in the case of EPM, apparently the seized information does not contain customer data but rather the operation and internal dynamics of the company. But the Mucho Hacker portal, specialized in this type of crime, published screenshots that would prove that there is private data on employees and financial information, for example data on payments, budgets, reports, reports and bank documents.
The contingency plan
In addition to a couple of official statements and publications on its Twitter with little or no information in this regard, EPM’s secrecy has been absolute. This medium tried several times to contact personnel from the company’s technology area but received no response. However, we note that the calm regarding the “incident” is only behind closed doors.
In a decree signed the same Tuesday by the general manager of EPM, Jorge Andrés Carrillo, following making a preliminary analysis of the affectation of the ransomware and the impact that it might generate in the operation of the organization, escalated the situation to the General Team of Company crisis and activated the Critical Events Attention Protocol, PADEC.
The document also makes $5,000 million available to Darío Amar Flórez, Executive Vice President of New Business, Innovation and Technology, so that he can enter into contracts and agreements that allow support and attention to the “cybersecurity incident”.
Sources linked to EPM revealed that within the company they have pointed to this official as one of the main responsible for the “incident”, since his vice presidency is in charge of establishing a shield once morest cyberattacks. Amar, who has a close and influential relationship with Mayor Daniel Quintero, not only holds this high position at EPM, but is also a board member at its subsidiary on the Atlantic Coast (Afinia), at Empresas Varias and at Ruta N. In addition, his brother César represents Quintero on the board of the APP Agency, another entity related to the business conglomerate of the District.
Part of the criticism has to do with the relations of the two brothers of Cartagena origin with companies in the technology sector. Darío has been General Manager of Quipux SA., the same one of the scandalous contract for the photo fines in Medellín, criticized for the large profit margin that it apparently left him and the lack of effectiveness in improving road safety in the city. This also had the contract of the Single Transit Registry (Runt) that also aroused complaints regarding the considerable cut that should be from the State and that it transferred to individuals. For his part, César Amar, according to his LinkedIn profile, is the legal representative of Selecta Consulting Group, to which his mother and stepfather would also have been linked. What is particular is that it is the same company that appeared in the media in 2020 because it would have profiled journalists and people who have questioned the current district administration for the Medellín mayor’s office.
Complaints reached the EPM Ethics Line at the end of 2020 that Darío Amar was incurring a conflict of interest and only later did he declare that conflict due to his proximity to Quipux and Selecta Consulting.
However, journalists from this newspaper found that this same firm signed several contracts in the last two years for more than $37 million with Empresa de Energía del Quindío (EDEQ), a subsidiary of EPM, precisely for the supply of software licenses, and In September of this year, they gave him another contract for $334 million through the Pascual Bravo University Institution to teach digital marketing courses. These two examples that would support the suspicions that circulate in the EPM intelligent building and that now increase even more by assigning the $5,000 million to ward off the effects of the cyberattack
