A random malware strain targeted about 800 remote monitoring devices at ground-mounted PV plants in Japan in May, according to Japanese PV cybersecurity specialist Girasol Energy.
Although the incident did not cause any financial or technical damage to the solar facilities, the malware used the systems as a springboard for fraudulent actions.
“The random malware installed a backdoor and illegally used internet banking to steal money. Once a backdoor is installed, a hacker can easily gain unauthorized access repeatedly without going through the normal authentication process,” Girasol Energy CTO Hiroyuki Ikegami told pv magazine, noting that such incidents are more common than generally believed.
Ikegami explained that cybercriminals frequently make random or automated attempts online to turn vulnerable computers into members of botnets.
“Based on known vulnerabilities, attackers try to break into vulnerable computers and, if successful, install malware to create a backdoor on the computer,” he said. “Computers with backdoors are shared by attackers all over the world – this is a botnet.”
He explained that once computers are part of a botnet, they are at the disposal of attackers. They can use compromised devices for a range of malicious activities, such as sending fraudulent emails or overwhelming servers with traffic to disrupt services in distributed denial-of-service (DDoS) attacks.
Ikegami said the malware targeted SolarView Compact SV-CPT-MC310 remote monitoring devices, developed by Japan-based Contec. The company has since released an updated version of the product, which addresses all the vulnerabilities involved in the incident. It has also told users to update their software.
Contec said in a press release that it found 19 vulnerabilities in SolarView from 2021 to 2023 and has issued patches to address these issues since 2021. Japanese media outlets reported that the attackers used about 800 SolarView devices in the incident on May 1, 2024, to carry out a scam and steal money.
“This means that in about two to three years, 800 vulnerable SolarView will not be maintained from a cybersecurity perspective,” Ikegami said. “Users did not apply these patches to SolarView and continued to deploy vulnerable SolarView directly to the internet. This negligence led to the whole incident.”
Ikegami said the details of how the incident was discovered remain unclear. However, based on reports linking it to money transfer scams, he believes the incident likely surfaced during police investigations into the scam victims.
He warned that all remote monitoring devices connected to the internet are exposed to these risks if they are not properly protected by specialized cybersecurity companies.
“There is no certainty of protection if nobody is surveying the system and attacks like those we have seen in May may have legal consequences for the PV asset owners, although the performance of the plants is not affected,” said Ikegami.
No cases have been reported in Japan in which unwitting botnet participants have been sued for damages related to such issues.
“However, there is a risk, and it is important for businesses to respond appropriately and especially if the system should operate with cybersecurity,” Ikegami said, noting that in this case, it is more profitable for the attacker if the PV owner remains unaware. “It's like using an empty house for illegal activities.”
Ransomware also poses a significant threat to production facilities and IT systems. As PV systems become a more important power source, such attacks could become more common.
“The importance of PV systems will increase in the next few years, thus system integrators need to be particularly careful about ransomware and unknown future attacks,” said Ikegami.
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.