Threat intel report: energy infrastructure on the front line

  • Energy infrastructure in Ukraine finds itself on the front line in its war with Russia as nation state cyber threat actors target critical control systems.
  • Chinese companies are developing hardware-based malware as present and future cyber threats to global energy infrastructure rise.

In December 2015, a year after the Crimean Peninsula in Ukraine was illegally annexed by Russia, a malware attack dubbed BlackEnergy successfully infiltrated and caused widespread disruption and power outages across Ukrainian energy infrastructure by wiping data from control systems using a utility known as KillDisk. The attack was widely attributed to a known Russian protagonist group called Sandworm, which was later linked definitively to the FSB, Russia’s security services. While the impact of this attack was limited publicly to several hours without power in some regions, the damage caused behind the scenes was immense, and the clean-up operation expensive. In addition, the message to the Ukrainian government was clear: “You are vulnerable.”

This incident kicked off an inevitable arms race in the cyber space between Russia and Ukraine, with numerous further attacks launched against energy companies and their suppliers. As this became very public, so did the support for and against from both sides, resulting in a series of targeted attacks against both Russian and Ukrainian critical energy infrastructure, conducted largely by nationalist groups with links to and borrowed resources from the vast cybercriminal underworld in this region of the world. If this was supposed to be a test-run of Russian cyber warfare capabilities, it was pretty successful from a technical perspective; that being said, it did in many ways ‘show their hand’.

Fast-forward to February 2022 and the Russian invasion of Ukraine, and we see a similar pattern of behaviour emerging, with two key differences: 1) Ukraine has cyber-armed and was expecting a cyber onslaught in advance of any conventional attack, and so it has proven. 2) The majority of nationalist and ideological groups around the world are shoring up the Ukrainian cyber ranks. The impact and the damage this time from a cyber standpoint may have been less apparent when considering power infrastructure, but it has still caused disruption nonetheless. Alongside the country’s telecom infrastructure, energy is the cyber front-line of this war.

Russia and Ukraine are not the only examples of how state-sponsored cyber activities can lead to widespread disruption to public utilities and critical infrastructure. A more recent and perhaps pressing nation-state threat for both western and eastern countries alike emanates from news that Chinese hardware manufacturers such as Huawei, among many others which the state retains significant equity in, have been compromising the components that much of our technologies rely upon. Make no mistake, this is every bit as dangerous as software-based vulnerabilities: consider this technique ‘the hardware answer to malware’. And with China’s political Belt and Road program investing in and building infrastructure from these components across Asia, Africa, South America and even parts of Europe, the future is looking pretty bleak for everyone involved – except China. It is after all much more difficult to just ‘delete’ hardware and start again. It is equally as difficult to exclude Chinese technology and research from global markets; we simply do not have the knowledge and resources to move forward without them. But of course governments change, and their priorities with it. Unfortunately, it is unlikely that we will see a de-escalation or a shift in priorities coming from China in the next decade, which puts much of our existing and planned infrastructure at greater risk than ever before.

Additional insight and intelligence on attacks against energy infrastructure and global supply-chains can be found at

Scroll to Top