Resecurity warns of rising ransomware threats in energy sector, particularly targeting nuclear, oil and gas industries

New data from Resecurity has revealed a concerning increase in ransomware attacks on the energy sector, specifically targeting nuclear facilities and associated research organizations. Over the past year, these attacks have been observed in North America, Asia, and the European Union. Handelsblatt reported that in the E.U. alone, ransomware attacks on the energy sector have more than doubled in 2022 compared to the previous year, with a total of 21 attacks recorded until October.

Describing the recent trend as ‘cannot be ignored,’ Resecurity identified in a recent company blog post that with at least a dozen sophisticated groups such as BlackCat/ALPHV, Medusa, and LockBit 3.0, among others, intensifying their focus on these high-stakes targets, the threat landscape is becoming increasingly dangerous. “These threat actors are not acting in isolation; they are supported by a flourishing ecosystem of access brokers and tool developers who provide the necessary leverage to infiltrate and exploit these essential systems.” 

The Los Angeles-based cybersecurity company said that the collaboration between these groups and individual actors is a clear indicator of the strategic importance placed on the energy sector, which is perceived as a goldmine for high-value data and maximum ransom payouts exceeding $5,000,000 (million) in some cases.

“In the context of the Ukraine war, the most geopolitically noteworthy attacks include the steady stream of intrusions by actors like BlackCat/ALPHV, Qilin, and Black Basta targeting energy installations and refining hubs in the Low Countries, Switzerland, Italy, and Germany,” Resecurity disclosed. “Germany, once the engine of the European economy, has been particularly hard hit by the transition away from Russian natural gas imports that has resulted from war-related sanctions.”

As such, “Germany’s energy infrastructure has been especially vulnerable. In this regard, ALPHV’s coordinated attacks on Oiltanking in Germany, Invest-SEA in Belgium, Evos in the Netherlands, and the Amsterdam-Rotterdam-Antwerp oil terminals all in February 2022 are particularly noteworthy. These attacks all immediately coincided with the Russian invasion of Ukraine,” it added.

Looking ahead to 2024, Resecurity said that it envisioned “significant growth in cyber threats, particularly with ransomware groups increasingly prioritizing high-value targets within the energy sector. This includes a specific focus on the nuclear energy sector, as well as oil and gas providers, both in their downstream and upstream operations.” 

The data identified that as digitalization in these areas continues to advance, the attack surface for malicious actors expands, offering more opportunities for exploitation. “The sector’s growing reliance on interconnected technologies, while beneficial for operational efficiency, also presents lucrative opportunities for cybercriminals. The potential for substantial ransom payments, driven by the critical nature of these energy services, further heightens the appeal for these bad actors.”

It is therefore imperative for organizations within these specific areas of the energy sector to ‘significantly’ bolster their cyber defenses and prepare for the sophisticated and potentially devastating cyber campaigns that are likely to emerge in the coming year, Resecurity added.

In the wake of the MOVEit Transfer supply-chain extortion campaign, which has claimed over 2,180 victims so far, 2023 may go down in history as the most profitable year ever for ransomware actors, Resecurity detailed. The broader trend driving the ransomware industry’s increasing ROI is the return of ‘big game hunting,’ or the targeting of large organizations, according to the DHS report. Emerging tactics being deployed by ransomware actors in their big-game, extortion ‘safaris’ include intermittent encryption, the use of more modern specialized programming languages, and dual ransomware attacks that involve more than one variant.

These dual-variant campaigns typically sequence their attacks over 48 hours, according to the FBI. As Cl0p demonstrated in their MOVEit campaign, there is also rising concern that attackers may be eschewing the in-house development of encryption lockers altogether, in favor of more efficient data theft schemes. By seizing and exfiltrating data, ransomware hackers can pivot into the extortion phase of the attack cycle more immediately. Regarding the first two emerging ransomware tactics cited, intermittent encryption enables threat actors to “encrypt systems faster and reduce the chances of being detected,” according to the DHS report.

The enhanced efficiency and evasiveness offered by the above technique are selling points that can help cyber-extortion gangs “entice affiliates to join their Ransomware‑as‑a‑Service operations,” noted the DHS report. The report also said that next-generation programming languages like Rust and Golang, for example, can enhance threat actors’ abilities to “adapt and individualize their attacks.”

Overall, the energy sector was the fourth-most-targeted sector last year, accounting for 10.7% of all cyberattacks. The DHS report warned that “state and non-state cyber actors continue to seek opportunistic access to critical infrastructure sector targets for disruptive and destructive attacks.” Additionally, “malicious cyber activity targeting the United States has increased since the beginning of the Russia‑Ukraine conflict,” noted the DHS report.

With no clear end to the Israeli-Hamas and Russo-Ukrainian conflicts in sight, ransomware attacks targeting energy firms are becoming increasingly prevalent in the U.S. and globally. The following white paper will provide a timeline of all significant, energy-sector ransomware attacks over the last year, present HUNTER (HUMINT) research on Dark Web solicitations for energy sector access, and detail findings from our undercover ransom negotiations with threat actor group Black Basta.

Resecurity data identified several Initial Access Brokers (IABs) operating on the Dark Web who are actively seeking out credentials and other unauthorized intrusion methods for the energy sector. Some of these IABs are even promoting unauthorized access to nuclear energy firms. Furthermore, Resecurity has identified numerous posts on major cybercriminal forums, including RAMP (the Russian Anonymous Market Place), where threat actors have profited and continue to profit from illegal network access.

According to Resecurity investigations, ransomware attacks on the energy sector have significantly increased. Malicious campaigns have been observed in North America, Asia, and the European Union (EU). Cybercriminals target this sector, operating on the assumption that they can command more lucrative ransom payments due to the higher-value data assets involved. These attacks prove that critical infrastructure (CI) data assets are more valuable to ransomware groups than those stored by other economic sectors.

Resecurity anticipates that criminal entities operating on the Dark Web and professional ransomware gangs will intensify their targeting of the energy industry. These attackers will co-opt independent actors and IABs to help them profit from illicit network intrusions. Ransomware operators targeting energy firms will continue to increase their extortion demands beyond $7 million, weaponizing their essentiality to CI operations. One aggravating factor that can justify payouts of this size to victim organizations is the potential for the devastating disruption of industrial processes within their surrounding environment.

Nuclear energy organizations are high-priority targets for ransomware operators and advanced threat groups seeking to participate in cyber espionage. Leaked data from these entities may serve as a smokescreen for more intricate attacks, planned before any public announcement of these incidents. This tradecraft can make it more challenging for breach investigators to determine the true motives behind a cyberattack.

Additionally, governments and private-sector stakeholders are increasingly concerned about the rise in ransomware attacks targeting the energy sector. This disturbing trend has destabilizing implications for geopolitical relations, capital markets, public safety, and national security.

Backdropped by the Russo-Ukrainian conflict, hacker interest in nuclear energy firms and related entities has been on the rise. In this threat environment, Resecurity has noticed growing interest from threat actors soliciting access to nuclear-sector entities. 

“As far as publicly accessible nuclear access listings, Breach Forums proved to be the most fertile hub for open-source intelligence in this regard,” Resecurity detailed. “The images below depict examples of Initial Access Brokers (IABs) offering access to nuclear energy-sector corporate networks. This first screencap is from the RAMP forum.”

Last week, industrial cybersecurity firm Dragos assessed with high confidence that in the fourth quarter of this year, ransomware will continue to opportunistically attack industrial organizations, which will have varying operational disruptions. However, direct impacts to OT networks and processes will largely depend on the victim organization’s architecture and whether their OT systems are properly segmented or if the network architecture is flat and can be easily enumerated and traversed. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.