U.S. energy‑sector forensic teams have begun disassembling Chinese‑manufactured solar inverters and grid‑scale batteries after discovering undocumented 4G/LTE modules and other wireless communication transceivers buried on the circuit boards, according to two people involved in the tear‑downs. The covert hardware, absent from published schematics, creates an out‑of‑band path that can tunnel straight through utility firewalls, potentially granting offshore operators the ability to reconfigure or even turn off power‑conversion equipment at will.
“There is clearly strategic value in seeding core infrastructure with components that can be flipped off like a light switch”
Former National Security Agency director Mike Rogers tells Reuters.
What investigators found
- Over the past nine months, forensic security teams have logged multiple brands of Chinese solar inverters containing hidden wireless communication equipment.
- Investigators have also discovered hidden cellular radios in grid‑attached lithium‑ion battery cabinets from several vendors.
- According to three people briefed on the incident, in November 2024, China remotely shut down commercial‑scale inverters in the U.S. and other countries.
While the Department of Energy (DOE) has not publicly commented on the November outage, officials confirmed they are “continually reassessing the risk of undocumented functionality” and are pressing suppliers for a complete Software Bill of Materials.
Why Power Utilities are worried
Modern distribution grids lean heavily on inverters to translate DC from solar, storage, heat‑pump drives, and EV chargers into AC usable by the network. Because inverters operate in millisecond feedback loops with grid‑control systems, mass manipulation of their set‑points can destabilise frequency and voltage in seconds, far faster than conventional protective relays can respond. “That effectively means there is a built-in way to physically destroy the grid,” one source familiar with the discoveries reported to Reuters.
A March 2025 report by Forescout researchers documented critical vulnerabilities from several solar inverter wireless communication dongle manufacturers. The researchers demonstrated how malicious actors could remotely access these 4G/Wi-Fi/GPRS-enabled devices via the cloud and then send signals to destabilize nearby or connected solar infrastructure. Additionally, compromised dongles could allow attackers to move laterally into other sensitive equipment on protected networks, echoing warnings given by NIST in December of last year.
Forescout also reported three additional cybersecurity incidents involving solar power monitoring devices in 2024:
- Chinese threat actor Flax Typhoon used botnets to exploit solar devices to pivot their attacks into secure targeted networks abroad.
- Attackers hijacked 800 Contec SolarView Compact devices in Japan.
- The Just Evil hacktivist group accessed the power monitoring dashboard of 22 clients of Lithuania’s Ignitis Group, including two hospitals, by obtaining valid credentials through a Trojan on customer devices.
A widening policy response
Congress is already weighing proposed bans on federal purchases of Chinese batteries beginning in 2027, and utilities from Florida to the Pacific Northwest are racing to qualify “trusted” inverter lines amid warnings from NATO and the Baltic states that energy blackmail via remote disconnection is now a realistic scenario.
An April 2025 risk assessment from SolarPower Europe and DNV warns that seven inverter makers control more than 10 GW of connected capacity each across the continent. “A compromise of just one of these players could destabilise the European electricity grid,” the report states, adding that sensitive operational data remains exposed when vendors host management servers outside the EU.
However, visibility, not sourcing, remains the immediate pain point of these risks. As critical US and EU industries continue to modernize their infrastructure, energy, and manufacturing, they are introducing more and more “smart” equipment into their previously isolated facilities. Wireless chips, which are increasingly smaller and harder to spot, can be overlooked, or deliberately hidden, in any new component, not just inverters.
Bastille: Seeing the Wireless Attack Surface Others Miss
Bastille Networks provides a Wireless Airspace Defense platform to detect these rogue wireless radios. Bastille’s passive sensor arrays detect cellular, Wi‑Fi, Bluetooth, Zigbee, Z‑Wave, and other protocols across 25 MHz–7.125 GHz, locate each transmitter to within one to three meters accuracy, and stream AI‑driven intelligent event reporting and risk analytics into existing XDR and SIEM workflows.
Unlike network‑centric tools that watch only IP traffic, Bastille surveils the physical‑layer wireless emissions of every component, whether documented or not, continuously comparing behaviour against baseline models for OT environments.
- Pinpoint hidden modems, fallback radios, and wireless debug interfaces the moment they power on.
- Alert to anomalous live wireless connections between rogue wireless transmitters and critical assets
- Issue real‑time, high‑fidelity alerts that empower SOC and grid‑control teams to isolate, remediate, and forensically prove tampering before kilowatts become blackouts.
Before a contract dispute or nation‑state play turns distributed energy resources into a remote kill‑switch, make sure Bastille is by the breaker panel.
