| Hi, it’s Jordan. We have a rare chance to hear first-hand from an executive whose company was hacked. But first… Must Reads: It’s rare to see a company speak openly about being hacked. When executives do provide details, it’s usually via the disembodied jargon of a press release or in carefully lawyered remarks to Congress. That’s what made it surprising — and refreshing — when I sat in on a presentation at a cybersecurity conference in Copenhagen where both the CEO and the head of IT security for Jysk Energi, a 101-year-old electric utility in western Denmark, candidly discussed a December 2023 hack that the company addressed by pausing crucial IT systems. At the conference, I talked with Jysk’s head of IT security, Mikael Tomra Romanius, about the incident and why the company decided to speak about it publicly. It’s part of a recurring series of conversations for Cyber Bulletin with executives from hacked companies on what they’ve learned from their experiences. The first signs of an intrusion appeared around 3:15 p.m. on Saturday, Dec. 9, when Romanius said he received an alert about a potential issue with his administrative account. He thought it was a false positive and ignored it. About two hours later, a second alert showed that someone was using the account to log into a sensitive server on Jysk’s network — a clear sign of a breach.  Mikael Tomra Romanius, head of IT security for Jysk Energi A/S, a 101-year-old privately owned electricity utility in western Denmark whose network went offline for nearly week in December after a hacking attack. Source: Fotograf Anders Trrup Under Danish law, utilities are required to have a cyber incident response firm on retainer, which in Jysk’s case was Danish firm CSIS Security Group A/S, Romanius said. By around 5:15 p.m., they had launched a breach investigation, and by 7 p.m. Romanius had decided to sever all of the company’s internet connections to get the hack under control. The company disclosed the breach, and its IT systems stayed offline until the following Saturday. No data were stolen or locked with a code to demand a ransom. However, CSIS believed the attackers belonged to the Akira ransomware group and that the hackers were trying to deploy malware in the network. The intruders broke in via a server that Jysk hadn’t considered to be particularly sensitive and only held publicly available data about the location of the utility’s buried cables, Romanius said. The device came to Jysk as part of its acquisition of a company called Fiber Backbone A/S a few years earlier. The server was identified as a potential risk — albeit a low one — and placed on a list of IT systems to eventually join Jysk’s secure network. But the hackers got there first, leveraging administrator credentials stored on the server to elevate their privileges and move across Jysk’s network, Romanius said. The attack was spotted before it could cause serious damage, but the week-long IT outage seriously disrupted business, and Jysk learned several hard lessons. One was that Jysk’s administrative accounts had too much access across the network, an error for which Romanius takes responsibility. He said the utility has since tightened controls around what types of data each account can access. Another was that Jysk mishandled the migration of Fiber Backbone’s IT systems onto Jysk’s corporate network, he said. Jysk failed to involve its IT and the IT security departments in the acquisition discussions and planning for the merger, which slowed down the systems migration and allowed the vulnerabilities to linger, Romanius said. “At no point was IT involved - the focus was just to keep the business running,” he said. | 
