Cyber threats and the energy sector: an overview

The major cyber threats facing the energy sector include ransomware, phishing, malware, vulnerability exploitation, supply chain issues, and DDoS attacks. These attacks may be carried out by state-sponsored threat actors, highly-organised criminal gangs, hacktivist collectives or even individuals acting alone. The energy sector is a prime target for cyber criminals for a variety of reasons: state-sponsored groups will be particularly interested in the damage they can inflict on the infrastructure of a rival state. The war currently taking place between Russia and Ukraine offers a prime example of this.

However, the ransomware group acting for financial motives is also drawn to the sector because the provision and maintenance of energy supplies are the fundamental core components of the infrastructure of any developed society: successfully causing a blackout in London, for example, would have a huge impact on the entire nation and cost billions of pounds in lost revenue in a short space of time. The ransomware threat actor will, therefore, correctly assume that the infiltration of a major energy supplier is likely to result in a very handsome payday.

Access to an organisation’s networks may be achieved using a variety of methods. Examples include phishing attacks, where an individual is duped into clicking on a malicious link in an email or on a website; or the use of stolen Remote Desktop Protocols (RDP) credentials; or the exploitation of software vulnerabilities.

Ransomware-as-a-Service sales have been increasing, allowing less experienced criminals to purchase malware which they can then deploy themselves. However, the help given to threat actors lower down the chain does not stop there. Assistance may also be provided with the negotiation of ransom payments and the return of stolen data.

Malware-as-a-Service (MaaS) and Phishing-as-a-Service (PhaaS) are other methods offered. Here, even the least knowledgeable would-be cybercriminal can run their own operations without having to concern themselves with developing spoofed webpages, distributing malicious emails or hosting their own websites.

Other techniques for infiltrating networks may involve the exploitation of software vulnerabilities. High-profile examples include the Kaseya MSP supply-chain attack and incidents related to Microsoft Exchange Server.  The heavily exploited Log4j vulnerability was identified more recently.

An important example of a supply chain attack was seen in the SolarWinds breach of December 2020, when attackers compromised the company’s network, and infected its software with malware designed to target organisations worldwide, particularly in the financial sector.

DDoS attacks pose another threat to businesses. These can take a company offline, interrupting operations and possibly leading to serious financial losses. Ransomware groups have also been seen to threaten DDoS attacks against victims who have failed to pay their demands.

Turning now to the tangible threat of state-sponsored attacks, we have seen a great deal of attention understandably recently focusing on the attacks launched by Russia on energy facilities in Ukraine as part of Putin’s attempt to reinvent his vision of the Soviet Union. What is interesting to note here, however, is that the cyber-attacks have been largely unsuccessful, at least as far as inflicting sustained damage is concerned. Certainly, vital services may have been taken offline for a period of time; but the reports which we are now seeing of Ukrainian citizens freezing in the dark during the coldest months of the year are the result of traditional, physical attacks on the energy facilities – warfare involving munitions, military organisation, great expense and tactical decisions.

And yet Russia has spent quite some time and resources “practising” its cyber warfare capabilities with attacks on critical infrastructure in Ukraine. Back in December 2015, attacks involving the use of BlackEnergy malware were widely attributed to the Russian state-sponsored group Sandworm, which compromised systems in various energy distribution companies in the country. The BlackEnergy Trojan had previously been tied to Russian attackers, and in this incidence was designed to install the wiper malware called KillDisk.

It is arguable that this practice attack was not particularly successful. Ukraine was at that time wholly reliant on infrastructure built during the Soviet period, meaning the networks were familiar to Russian operatives and highly vulnerable for that reason. While the BlackEnergy attack may have left nearly a quarter of a million people without electricity for up to six hours, systems were rapidly restored.

In 2016 the Ukrainian capital, Kiev, was hit by a blackout caused by the Industroyer malware in an attack again attributed to Sandworm. However, despite the malware being described as being far more dangerous than BlackEnergy, systems were back up within an hour.

This is not, of course, to suggest that energy organisations in Ukraine are not at great risk from cyber-attacks. In May 2022 CERT-UA confirmed that one such incident targeted the country’s electrical substations and controllers with the Industroyer2 malware, which was deployed with a variety of wipers such as CaddyWiper, SoloShred and AwfulShred to cause the maximum amount of damage possible.

Nevertheless, the relatively disappointing results of the BlackEnergy and Industroyer attacks (from the Kremlin’s point of view) are clearly evident in that the attacks on Ukraine’s energy infrastructure over the winter of 2022 and into 2023 have been carried out using traditional warfare techniques. To deprive the Ukrainian population of warmth, light and heat and hopefully force the country into submission, Russia’s military forces have used numerous missiles and drones to destroy energy facilities, indiscriminately killing and injuring many civilians in the process. Ukrainian government officials have estimated that Russia carried out 92 physical attacks on Ukraine’s energy infrastructure in October and November 2022 alone. This surely points to the failure of those carefully designed cyber-attacks, both in terms of financial resources and damage caused. Despite the practice runs prior to the Russian invasion in February 2022, the country’s hacker groups appear to lack the capability to inflict sufficiently lasting impact on infrastructure. The technological support which western cyber experts have given to Ukraine since those early attacks is another factor which has contributed to this overall poor performance.

Ukraine is not the only country at risk from Russian state-sponsored threat actors. Nations that have been supporting Ukraine in the war have also been targeted. For example, the Polish government recently stated that cyber-attacks against organisations in the country have increased, with energy providers among those sectors at high risk.

Recently, it was also reported that the Russian group ColdRiver targeted three nuclear research facilities in the United States last summer: the Brookhaven (BNL), Argonne (ANL) and Lawrence Livermore National Laboratories (LLNL). (source)

Along with Russia, China, North Korea and Iran also have highly organised and effective hacker groups working for the ruling regimes.

In August 2022 China’s state-sponsored group Leviathan was blamed for attacking energy companies operating in the South China Sea as part of its operations relating to Beijing’s geopolitical manoeuvres. A phishing campaign was seen targeting the Kasawari gas field in Malaysian waters, and a wind farm in the Taiwan Strait. Leviathan is a cyber-espionage threat group that has been active since 2014. It uses spear-phishing attacks containing malicious Microsoft Word and Excel files, as well as URLs deploying fraudulent domains with stolen branding.

It is worth noting here that China has been heavily involved in Britain’s new nuclear industry since 2015, when China General Nuclear (CGN) signed a Strategic Investment Agreement to participate in three nuclear projects in the UK: Hinkley Point C, Sizewell C and Bradwell B. CGN has funded 33% of the Hinkley facility so far, with France’s EDF holding a 67% stake. Construction is continuing. However, in 2022 the UK government was reportedly aiming to remove CGN from involvement in Sizewell and Bradwell B. In recent years a great deal of attention has focused on the activities of Chinese state-controlled telecoms companies, such as Huawei, which have been found compromising the components that much of our technologies rely upon. These organisations have now been banned from operating in many western countries. Similar concerns will certainly be behind any firm decision made by the UK government to revoke CGN’s participation in the new nuclear projects. Such a move may not go down well with Beijing: given China’s economic and political ambitions, there is a possibility that state-sponsored groups may well focus on the industry before being forced out.

North Korea’s Lazarus group, which has been active since at least 2009, has been held responsible for hundreds of attacks using various types of custom malware. The group continually develops and updates its tools, malware and exploits, which have included DDoS botnets, wipers, and malware that targets specific systems.  It has recently been using the BlindingCan Remote Access Trojan (RAT) in a cyber-espionage campaign designed to gather intelligence on key military and energy technologies. It is also possible that the group has started to deploy ransomware in its attacks.

Another North Korean group, Kimsuky, has a history of high-profile attacks against South Korea; most famously, it allegedly breached the network of South Korea’s state-run nuclear research Korea Atomic Energy Research Institute in 2014.

The main aim of all the North Korean groups is to steal information and money for the development and funding of the country’s nuclear programme.

Iranian state-sponsored groups are also particularly active. Most recently, Lyceum has been seen launching cyber-espionage campaigns targeting the oil, gas, aviation and telecommunications sectors across Africa and the Middle East. Kuwait has been repeatedly hit. This threat actor is known to deploy custom malware via the use of malicious documents attached to spear-phishing emails. The group relies on supply-chain attacks to facilitate access into the networks of energy companies.

The energy sector is also an extremely attractive target for cybercriminals: ransomware groups have managed to launch highly damaging attacks on various organisations around the world.

The incidence of ransomware attacks has been increasing sharply over the last few years. This is now a huge, extremely lucrative criminal activity for a wide variety of threat actors engaged in various aspects of such an enterprise.

The ultimate aim of a ransomware attack is to infect a target network with data encryption malware: once achieved, the cybercriminal will demand a payment to restore and return the data. Some organisations will quickly make the decision to cut their losses and pay the ransom, often deducing that a downtime in operations will prove more costly than paying off the threat actors. However, making that payment does not guarantee a return of the data: the cybercriminal may well have made a copy of the files and will attempt further extortion even after money has changed hands.

The widespread damage that can be caused by such an operation was amply illustrated during the well-publicised ransomware attack in May 2021 on Colonial Pipeline in the US: this resulted in services being taken offline for several days, and President Biden declaring a state of emergency. In this case, the Darkside ransomware operators infiltrated the network via an exposed password for a VPN account, managing to steal 100 gigabytes of data before infecting the systems with ransomware. Colonial Pipeline paid the Darkside operators’ ransom demand to acquire a decryption key and regain control of its systems: this was presumably deemed the most cost-effective response, given that the attack impacted a wide range of industries in the US which rely on oil being transported in the pipeline from refineries.

The Darkside group was also responsible for other relatively recent attacks on the energy sector, including one that took place earlier in 2021 on the Companhia Paranaense de Energia (Copel), a Brazilian electric utility company: here, the ransomware operators stated that they had infiltrated the organisation’s  CyberArk storage and stolen cleartext passwords. Further, the group was suspected of carrying out an attack on Centrais Eletricas Brasileiras (Eletrobras), the largest power utility company in South America and owner of Eletronuclear, a subsidiary operating in the nuclear power sector. Both ransomware attacks disrupted operations and forced the companies to suspend some of their systems.

The DarkSide ransomware group shut down its operations following the attack on Colonial Pipeline, which had resulted in a great deal of international and US law enforcement attention, with authorities seizing the group’s servers and recovering $2.3 million from the ransom paid by the company.

However, in February 2022 the Alphv ransomware group, also known as BlackCat, confirmed that it was made up of former members of the Darkside and BlackMatter operations. At around the same time, Alphv was implicated in attacks against two German oil suppliers, Oiltanking and Mabanaft, subsidiaries of the Marquard & Bahls group. As with the Colonial Pipeline incident, significant supply shortages ensued.

The Alphv group is currently one of the most active in the ransomware sphere; it would seem, therefore, that the highly successful Darkside members are still operating. Most recently, in December 2022, Colombian utilities supplier EPM was targeted by the group, resulting in the company’s IT infrastructure shutting down and corporate data being stolen.

The examples cited above offer a brief illustration of the risks faced by the energy sector.

Organisations can never be certain that they will not be hit by a cyber-attack, but they can take steps to lessen the chances by implementing appropriate and stringent cyber-security policies and practices. Data must be backed up and preferably stored separately. Systems must be updated and software patches applied as quickly as possible. And finally, all staff – from boardroom level downwards – must be given regular training in cyber-security practices to defend against the disaster a cyber-attack is likely bring, whether in financial or reputational terms.


Scroll to Top