Full Report
The electricity grid – the buzzing, crackling marvel that supplies the lifeblood of modernity - is by far the largest structure humanity ever built. It’s so big, in fact, that few people even notice it, like a fish can’t see the ocean. Until the grid goes down, that is. Then, like the fish dangling from the angler’s hook, we see our vulnerability. Modernity dissolves into a sudden silence, followed by the repeated flick of a light switch, and a howl of panic at the prospect of missed appointmen
Analysis Summary
# Main Topic
Critical vulnerabilities discovered in PV (Photovoltaic) plant management platforms utilized by Solarman and Deye, which coordinate operations for approximately 20% of the world's solar power output (195 GW). If exploited, these weaknesses could allow attackers to manipulate inverter settings, leading to potential blackouts and disruption of critical energy infrastructure.
## Key Points
- Bitdefender researchers found a series of vulnerabilities in the management platforms of Solarman and Deye.
- The affected platform is responsible for coordinating production operations for millions of solar installations globally, representing 195 GW of solar power capacity.
- Exploitation could enable an attacker to control inverter settings, intentionally causing parts of the electrical grid to go down.
- The vulnerabilities have been reported to the vendors and subsequently fixed, adhering to coordinated vulnerability disclosure protocols.
- Solar inverters are critical components that convert DC power from panels to AC power for the grid and are essential for managing voltage variability.
## Threat Actors
- **Attribution:** No specific threat actor group was named in relation to an active attack, as the reporting focuses on the researcher discovery and subsequent patching.
- **Motivation (Inferred):** Cyber-enabled sabotage or disruption of critical energy infrastructure (power grid).
## TTPs
- **Targeted Component:** PV plant management platforms (Solarman and Deye).
- **Attack Vector (Inferred):** Exploitation of specific weaknesses in the inverter/controller management system.
- **Impact Tactic:** Manipulation of inverter settings to cause operational inconsistencies (e.g., generation/demand imbalance leading to disconnections or voltage anomalies).
## Affected Systems
- PV plant management platforms operated by **Solarman** and **Deye**.
- Associated inverter controllers that manage solar power production feeding into the larger electricity grid.
- Partner companies utilizing these platforms, including (but not limited to): Afore, Canadian Solar, Sofar, Intelbras, Havells, Anfuote, Beyondsun, Fxpower, Itramas, Yienergy, Malina, and Trannergy.
## Curation of IoCs
*Note: The source text primarily details vulnerabilities and vendor information rather than active Indicators of Compromise (IoCs) like malicious IPs or file hashes. The following are defanged URLs related to the affected entities:*
- Vendor Login URL: hxxps://monitoring[.]csisolar[.]com/platformSelect
- Deye Website: hxxps://www[.]deyeinverter[.]com/
- Canadian Solar Website: hxxps://www[.]canadiansolar[.]com/
## Mitigations
- Vendors acknowledged the report and deployed security patches to fix the identified vulnerabilities.
- Most affected vendors have scheduled maintenance windows set aside to implement these security mitigations.
- The overall mitigation strategy relies on robust cybersecurity integrated into IoT setups and energy management systems.
## Conclusion
The discovery highlights a significant, systemic risk where vulnerabilities in decentralized solar energy components (managed via Solarman/Deye platforms) could be weaponized to attack the stability of the broader electrical grid. Since patches were reportedly issued, asset owners within the energy sector should verify that all installed Solarman, Deye, and associated partner management systems have successfully applied the necessary security updates to neutralize these control manipulation risks. Vigilance in securing renewable energy infrastructure is paramount.