Everchanging cyberthreats in the energy sector

Faced with an increasing need for flexibility and efficiency, the energy sector is growing more digital by the day. This digital evolution “disrupts production, processing, storage, transportation and energy consumption methods. Information and communication technologies have made it possible to optimize the supply chain as a whole,” explain Wavestone consultants.

This digital transformation is becoming a reality in the field, through the widespread use of Linky-type smart meters, remote monitoring of wind turbines and solar panel farms, the growing role of AI in smart grid electricity flow management, the use of connected objects (IoT) both by individuals (connected thermostats, etc.) and professionals (sensors placed within buildings or energy infrastructure).

Yet the onward march of digitalization exposes the energy sector as a whole to heightened cyber risks. According to IBM’s X-Force Threat Intelligence Index 2022 report, the energy sector ranks fourth among sectors most affected by cybercrime in 2021, with 8.2% of all cyberattacks, behind manufacturing, finance and professional services.

APTs: highly sophisticated and exceedingly targeted cyberattacks

The threat comes first and foremost from APTs (Advanced Persistent Threats), organizations that are directly or indirectly linked to State actors. Their highly sophisticated cyberattacks are exceedingly targeted. They unfold over the long term and require substantial resources and comprehensive skills. Their aim is to collect highly sensitive data (intellectual property, trade secrets, strategic presence…) for the purposes of espionage, sabotage, even geopolitical disruption.

In 2015, over the Christmas holidays, part of the Ukrainian power network suffered a very sophisticated cyberattack, triggering the first blackout ever due to malicious code. According to the Eset software company, thanks to an extensive phishing campaign, cybercriminals used the modified version of an opensource backdoor, capable of downloading files, as well as runnable shell commands, and therefore sabotaging industrial systems. Ukrainian authorities laid the blame on hackers sponsored by Russia, a longtime geopolitical adversary.

In 2022, software publisher Proofpoint, in partnership with PwC, brought to light a widespread cyberespionage campaign led by the TA423 cybercriminal group (aka APT40 / Leviathan), believed to be very close to the Chinese government. The targets of the phishing campaign led in April and June 2022 were businesses involved in certain strategic energy projects located in the South China Sea, including the Kasawari gas field, exploited by Malaysia, and an offshore wind farm in the Taiwan Strait.

Hacktivists at work

However, energy infrastructure can also be the target of hacktivist organizations. Generally speaking, their actions are less sophisticated than those of APTs, but they can wreak long-lasting havoc on sector players. Most often, hacktivists will target high-profile companies to convey their messages and demands, in particular using DDoS attacks.

Yet, in some cases, hacktivists can roll out cutting-edge resources to recover sensitive data. Since the start of the conflict in Ukraine, Russia has thus been the target of attacks carried out by such organizations, whose objective is to steal strategic information on the activities of some of its companies and administration. This data, once stolen, is then published on the Distributed Denial of Secrets (DDoSecrets) platform.

According to the Watson.ch website, in March of 2022, DDoSecrets thus published “79 GB of emails from Omega, the research department of Transneft, the world’s largest oil pipeline company, controlled by the Russian State. They also released 110 GB (140,000 emails) belonging to MashOil, a Russian company that develops equipment for the drilling, mining and fracking industry, as well as 15 GB of documents and photos from Rosatom, the state nuclear energy company.”

Conventional cybercriminal organizations are also well-represented

Energy sector players are also the target of cybercriminal organizations that could be described as conventional, i.e. whose goal is to maximize profits. In May, 2021, one of the largest US gas pipeline operators, Colonial Pipeline, suffered a ransomware attack that forced it to suspend all operations for almost a week. This triggered a price hike and a number of fuel shortages on the Eastern Seaboard.

The ransom demanded by the DarkSide group hackers, who were behind the attack, was paid in cryptocurrency (75 bitcoins, or 4.4 million dollars), but US authorities announced a few weeks later they had recovered a large portion of the sum (2.3 million dollars), thanks to the FBI.

The Colonial Pipeline attack was not a one-off. Many other energy companies have also been the target of cyberattacks throughout the world. In February, 2022, the oil terminals of several ports in Germany, Belgium and the Netherlands, were hacked. The Italian electric utility Enel was robbed of nearly 5 TB of data by Netwalker ransomware. Brazilian companies COPEL and Electrobras were hit in early 2021 by ransomware similar to the one used against Colonial Pipeline. The DarkSide group extracted 1 TB from COPEL’s systems, while ransomware struck Electrobras. The two energy providers had to disconnect from the national network.

Against the digital transformation backdrop, energy companies and their infrastructure are subject to multiple threats, regardless of the country and source of energy. From APTs’ highly sophisticated attacks to sensitive data theft by hacktivists, to the use of ransomware by cybercriminal groups, cyberthreats are everywhere. Industry professionals have to take into account the full scope of the challenges they face.