Full Report
An attack on the company’s AWS platform may have exposed customers' names and home addresses Exclusive ELECQ, maker of smart electric vehicle (EV) chargers, is warning customers that their personal details may have been stolen in a ransomware attack that encrypted and copied user data from its cloud systems.…
Analysis Summary
# Incident Report: Ransomware Attack and Data Exfiltration at ELECQ
## Executive Summary
ELECQ, a manufacturer of smart electric vehicle (EV) chargers, suffered a ransomware attack targeting its AWS cloud platform. The attackers successfully encrypted and exfiltrated a database containing customer names, email addresses, phone numbers, and physical home addresses. While charging operations remained functional, the company has taken affected servers offline and is currently undergoing forensic recovery and regulatory reporting.
## Incident Details
- **Discovery Date:** March 7, 2026
- **Incident Date:** March 7, 2026 (Detection of unusual activity)
- **Affected Organization:** ELECQ
- **Sector:** Electric Vehicle Infrastructure / IoT
- **Geography:** Global (Headquartered in China; impacts noted in UK and Germany)
## Timeline of Events
### Initial Access
- **Date/Time:** On or before March 7, 2026
- **Vector:** Probable exploitation of remote access services (SSH/Telnet).
- **Details:** While not explicitly confirmed, the company’s immediate response of shutting down SSH/Telnet services suggests these were the likely entry points or points of vulnerability.
### Lateral Movement
- **Details:** Attackers moved from the initial entry point to the AWS cloud databases where customer data was warehoused.
### Data Exfiltration/Impact
- **Details:** Attackers utilized "double extortion" tactics, copying user databases (exfiltration) before deploying ransomware to encrypt the original files on the AWS platform.
### Detection & Response
- **How it was discovered:** Automated or manual monitoring of "unusual activity" on the AWS platform.
- **Response actions taken:** Affected servers were taken offline; incident response protocols were triggered; third-party forensic specialists were engaged.
## Attack Methodology
- **Initial Access:** Likely through insecure remote access protocols (SSH/Telnet).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Scanning for AWS-hosted databases.
- **Lateral Movement:** Movement across the AWS infrastructure to reach data storage.
- **Collection:** Gathering customer account details (PII).
- **Exfiltration:** Copying data to an external location prior to encryption.
- **Impact:** Data encryption (Ransomware) and potential public leak of PII.
## Impact Assessment
- **Financial:** Costs associated with third-party forensic firms and potential regulatory fines. No financial/payment data was stolen.
- **Data Breach:** Exposure of names, email addresses, phone numbers, and home addresses for an undisclosed number of customers.
- **Operational:** Temporary shutdown of cloud-based servers; restoration from backups required. EV charging devices remained operational.
- **Reputational:** High; customers’ home addresses are sensitive, and their exposure increases the risk of targeted physical or digital social engineering.
## Indicators of Compromise
- **Network indicators:** Unusual outbound traffic from AWS instances (Data exfiltration); activity on SSH port 22 or Telnet port 23.
- **File indicators:** Encrypted files with likely ransomware-specific extensions (specific strain TBD).
- **Behavioral indicators:** Creation of unauthorized administrative accounts or sudden high-volume data transfers.
## Response Actions
- **Containment measures:** Isolation of affected AWS servers; immediate decommissioning of remote access services (SSH/Telnet).
- **Eradication steps:** Hiring third-party forensics to identify and remove malware/backdoors.
- **Recovery actions:** Restoration of systems from backups; implementation of beefed-up network encryption.
## Lessons Learned
- **Key takeaways:** Use of legacy or unhardened remote access protocols (Telnet/SSH) on cloud-facing infrastructure presents an extreme risk.
- **What could have been done better:** Implementation of Multi-Factor Authentication (MFA) and the use of VPNs or AWS Systems Manager (SSM) instead of direct SSH/Telnet access could have prevented the initial intrusion.
## Recommendations
- **Access Control:** Enforce a strict "No Telnet" policy and restrict SSH access to known IP addresses via a VPN.
- **Encryption:** Ensure all data at rest and in transit within the cloud environment is encrypted (as the company is now doing).
- **Monitoring:** Implement real-time alerting for data egress spikes to catch exfiltration in progress.
- **Customer Safety:** Advise customers to adopt a "zero trust" approach to incoming communications, as their leaked home addresses will be used to personalize phishing attempts.