Full Report
ELECQ, maker of smart electric vehicle (EV) chargers, is warning customers that their personal details may have been stolen in a ransomware attack that encrypted and copied user data from its cloud systems. In a notice sent to customers on Monday and seen by The Register, the EV charging outfit said that it detected "unusual activity" on its AWS cloud platform on March 7 and quickly discovered that attackers had launched a ransomware attack against parts of its infrastructure.
Analysis Summary
# Incident Report: Ransomware Attack and Data Exfiltration at ELECQ
## Executive Summary
ELECQ, a manufacturer of smart electric vehicle (EV) chargers, suffered a ransomware attack targeting its AWS cloud infrastructure. The attackers successfully encrypted parts of the infrastructure and exfiltrated databases containing customer contact information, including names and home addresses. While device operations were unaffected, the company is now managing a significant data breach affecting its international customer base.
## Incident Details
- **Discovery Date:** March 7, 2026
- **Incident Date:** Circa March 7, 2026
- **Affected Organization:** ELECQ
- **Sector:** Electric Vehicle Infrastructure / Manufacturing
- **Geography:** Headquarters in China; impacted customers in the UK, Germany, and potentially other European markets.
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (Prior to March 7, 2026)
- **Vector:** Likely exploitation of remote access services.
- **Details:** Post-incident actions suggest vulnerability in remote management protocols (SSH/Telnet).
### Lateral Movement
- **Details:** Attackers moved within the AWS cloud platform to reach core databases.
### Data Exfiltration/Impact
- **Details:** Attackers copied databases containing customer names, email addresses, phone numbers, and home addresses before deploying ransomware to encrypt the cloud servers.
### Detection & Response
- **March 7, 2026:** ELECQ detected "unusual activity" on its AWS platform.
- **Response Actions:** Affected servers were taken offline, and the incident response process was initiated.
- **March 9, 2026:** Public disclosure and notification sent to customers and regulators.
## Attack Methodology
- **Initial Access:** High probability of compromised remote access services (SSH/Telnet).
- **Persistence:** Undisclosed.
- **Privilege Escalation:** Undisclosed.
- **Defense Evasion:** Use of encryption (ransomware) to mask final actions.
- **Credential Access:** Undisclosed.
- **Discovery:** Reconnaissance of cloud databases on AWS.
- **Lateral Movement:** Undisclosed.
- **Collection:** Gathering of customer account information from databases.
- **Exfiltration:** Data "copied" to attacker-controlled infrastructure.
- **Impact:** Encryption of cloud-based infrastructure (Ransomware).
## Impact Assessment
- **Financial:** Costs associated with third-party forensic specialists and potential regulatory fines.
- **Data Breach:** Compromise of Personally Identifiable Information (PII): Names, emails, phone numbers, and home addresses. No financial data involved.
- **Operational:** Disruption to cloud-based management systems; however, physical EV chargers remained operational.
- **Reputational:** Public notice via *The Register*; potential loss of customer trust regarding home address privacy.
## Indicators of Compromise
- **Network indicators:** Activity involving unauthorized SSH/Telnet connections.
- **File indicators:** Encrypted database files; presence of ransomware notes (details not provided).
- **Behavioral indicators:** Unusual account activity on AWS cloud platform; large-scale data egress.
## Response Actions
- **Containment:** Affected servers were taken offline immediately upon discovery. Remote access services (SSH/Telnet) were disabled globally.
- **Eradication:** Third-party forensic specialists engaged to identify and remove vulnerabilities.
- **Recovery:** Restoration of systems from backups; strengthening of network-wide encryption.
## Lessons Learned
- **Key Takeaways:** Legacy or insecure remote access protocols (Telnet/SSH) in cloud environments present a significant risk.
- **What could have been done better:** Implementation of Multi-Factor Authentication (MFA) and more stringent Network Access Control Lists (NACLs) might have prevented access to the AWS resources.
## Recommendations
- **Access Management:** Ensure all remote access is conducted via secure VPNs or Identity-Aware Proxies rather than open SSH/Telnet.
- **Data Protection:** Implement "At-Rest" encryption for all customer databases to mitigate the impact of data exfiltration.
- **Monitoring:** Deploy enhanced cloud logging and alerting for "unusual activity" to reduce Mean Time to Detect (MTTD).
- **Phishing Awareness:** Provide customers with clear guidance on how to identify social engineering attempts leveraging their stolen contact data.