This post is also available in:
עברית (Hebrew)
Two electric cooperatives in Texas have reportedly been targeted in a ransomware campaign, with cybercriminal group Qilin claiming responsibility. The group, known for its attacks on critical services globally, has listed San Bernard Electric Cooperative and Karnes Electric Cooperative as victims on its dark web leak site.
If confirmed, the breach could have serious implications. Both cooperatives are part of the U.S. power distribution network, and any disruption or data exposure in this sector is a disruption of national infrastructure.
San Bernard Electric Cooperative operates around 3,900 miles of electrical distribution lines, serving approximately 28,000 homes across eight counties. Karnes Electric Cooperative manages nearly 5,000 miles of lines and provides electricity to 23,000 households in 12 counties.
According to a report by Cybernews, data samples shared by the attackers appear to include a wide range of internal documents. Files allegedly tied to San Bernard contain incident reports with personal contact details, budget and insurance documents, rate-case expenses, and right-of-way contracts. Documents linked to Karnes reportedly include board members’ personal information, detailed financial records, and internal operational data.
While the authenticity of the files has not yet been verified, Cybernews researchers warn that if the data is legitimate, the exposure could lead to significant consequences. The release of financial and operational information could affect the cooperatives’ business competitiveness, while leaked personal information, especially of board members, raises the risk of identity theft and targeted phishing campaigns.
Qilin is one of the most active ransomware groups currently operating, with ties to previous attacks on major global organizations across healthcare, telecommunications, and manufacturing sectors. Since early 2025, the Russia-affiliated group has been linked to over 500 ransomware incidents. The group typically uses its leak site to pressure victims into paying ransoms, often posting data samples to verify claims.
The incident underscores the ongoing vulnerability of essential service providers to sophisticated cyber threats. As ransomware groups continue to evolve and form alliances, the energy sector remains a prime target. This latest case serves as a reminder that strengthening cybersecurity across all layers of critical infrastructure is a strategic necessity.
