Cyberattacks on the utilities sector

Utility providers (energy, gas, water, sewage and oil) are targets for both standalone threat actors and large or state-sponsored threat groups. If an Industrial Control System (ICS) or Critical National Infrastructure (CNI) network were to be compromised, threat actors could gain valuable information, disrupt services, and extort money from the providers. Also, customers are vulnerable to social engineering attacks by threat actors posing as the provider, which could result in fraud, data theft or further attacks. These attacks continue to impact globally, with multiple Advanced Persistent Threat (APT) groups and threat actors targeting CNI for cyberespionage, ransomware extortion and political disruption.

In one recent example, the Cl0p ransomware group successfully attacked a UK water supplier, resulting in the exfiltration of 5TB of data. However, the ransomware operators stated that the data was not ransomed as they do not attack critical infrastructure.

Researchers have observed an increase in the targeting of ICS since February 2022. The threats to CNI and ICS originate from both the ever-evolving underground cybercriminal groups, and the increasing geopolitical tensions resulting in state-sponsored group activity. Both public and private European industrial entities face a continued and growing threat from ransomware operators, with small and medium-sized manufacturing businesses in Italy, Germany, Austria and Switzerland believed to be at highest risk. The UK energy, oil and natural gas sectors face the threat of disruption caused by sophisticated threat actors.

There have been instances of malware strains and attacks dedicated to the targeting of ICS and Programmable Logic Controllers (PLCs). Evil PLC, a new attack technique, affects engineering workstation software products by creating a malfunction on internet-facing PLCs, prompting engineers to connect to the infiltrated PLC to troubleshoot the issue. This allows the threat actor to exploit further flaws to gain access to the industrial system. Similarly, a series of state-sponsored ICS-oriented attack tools known as INCONTROLLER was identified. The toolkit consists of three tools named TAGRUN, CODECALL, and OMSHELLE, each targeting a different area of ICS security. PLCs are extremely important for utility infrastructure and have a significant role in industrial devices that control a range of operations. In addition to facilitating automated tasks, they can also be configured to operate safety processes. Threat actors are known to target these devices as they can cause significant damage to them.

Earlier this year, researchers also identified a versatile malware toolkit named PipeDream, dedicated to the compromise of ICS devices. The malware could be deployed against a range of industrial environments, but its operators have focused on Schneider Electric and OMRON PLCs. PipeDream may have been designed to target power grid and oil refineries, in particular liquified natural gas (LNG) facilities. This malware has the potential of to cause real destruction – even life-threatening in some cases – as it can send commands to servo motors in petrochemical facilities via OMRON PLCs.

SCADA systems have been targeted by a range of threat actors in the past, using methods including brute-force attacks, exploiting unchanged factory default credentials, credential stuffing, SQL injection, DDoS (distributed denial of service) and more, and are likely considered a strategic target for adversaries in a war scenario or a terror attack. In May, researchers discovered that the SCADA systems of 308 water and wastewater treatment facilities were exposed over the internet, and could have been used to change chemical levels set by the plant, resulting in the distribution of unsuitable and possibly dangerous water.

There have been recent reports of smishing scams, using the ongoing UK cost of living crisis, as well as the energy bills support scheme as a lure. Threat actors masquerade as a legitimate service offering an application website for a discounted energy bill, linking to a fake phishing page. The gained credentials and personal information may be used in further attacks such as banking fraud.

Both arising and ongoing conflicts have led to an increase in attacks against CNI and utilities providers this year. These attacks tend to be part of larger campaigns spanning multiple sectors. Ransomware operators target multiple companies each day in opportunistic attacks and when successful, threat actors choose to ransom data and extort the victim, while others such as Cl0p have decided not to ransom data from CNI. Cyberespionage campaigns from state-sponsored groups are designed to gain as much valuable information as possible about critical infrastructure in the event of a conflict, so they can precisely target and damage vital components. Activity regarding cyberespionage has increased recently due to the ongoing war between Russia and Ukraine. Political agendas tend to result in the targeting of organisations in this sector, and hacktivists or state-sponsored groups have been observed attacking production facilities to disrupt their operations.

Due to the potential life-threatening damage an attack can cause, organisations in the utilities sector must prioritise digital security and minimise attack vectors. This includes ensuring all software is updated to the latest version, using published IOCs to protect against evolving threats, and deploying defence-in-depth to protect sensitive assets and control systems.

Scroll to Top