Sekoia expects hackers to continue targeting energy sector through ransomware, hack-and-leak attacks

Data released by Sekoia disclosed that the energy sector was at the center of concern in Europe in 2022, particularly in light of the Russo-Ukrainian conflict. The sector was targeted by various offensive cyber-enabled operations, including espionage, disruption, sabotage, and information operations. Additionally, the European energy sector also faced lucrative-oriented cyber malicious campaigns, mostly double extortion attacks operated by Ransomware-as-a-Service (RaaS) groups, and hack-and-leak operations.

The energy sector remains particularly vulnerable to cyber threats, notably due to two identified structural risks being the complexity of information systems implemented in this sector, including IT and OT (operational technology) networks and solutions, in a context of digitization of activities and IT/OT convergence, as well as third party risk, both increasing the exposure to threat, with possible effects on the physical layer.

Sekoia identified in its Wednesday blog that energy is a subject matter and vertical of interest for cyberespionage activities, notably pertaining to strategic data collection and industrial espionage. The researchers also expect the ongoing Russo-Ukrainian conflict will almost certainly continue to be a strong driver for offensive cyber activities in the short term, notably for state-nexus and hacktivists intrusion sets.

“Between December 2021 and March 2022, Dragonfly (aka BROMINE), a Russia-nexus intrusion set was observed exfiltrating data from a nuclear safety organisation,” according to the Sekoia post. “Interest for nuclear energy-related entities was also demonstrated on the physical layer, as Russian troops seized the decommissioned Chernobyl nuclear power plant and the Zaporizhzhia Nuclear Power plant. It continued through the conflict, as Calisto notably targeted three nuclear research laboratories in the U.S. in a credential-stealing campaign in August and September 2022.” 

Google TAG researchers link this activity to the visit of United Nations inspectors to Ukraine’s Zaporizhzhia nuclear power plant in Russian-controlled territory. Additional Russia-nexus cyberespionage activities include EMBER BEAR (aka SAINT BEAR) targeting personnel involved in Ukrainian energy, Sandworm targeting an energy provider in Ukraine in March 2022, and Gamaredon observed unsuccessfully targeting a NATO refining company later this year. 

“Aligned with Russian activities, the Belarus-nexus intrusion set UNC1151 targeted multiple Ukrainian government websites including those of energy ministries,” Sekoia said. “In parallel, Ukraine-nexus intrusion set Cloud Atlas was reported targeting the Russian energy sector since at least December 2021. Since June 2022, multiple persistent campaigns focused on the energy sector in Belarus and in Russia were observed.”

Throughout 2022, China-nexus intrusion sets continued targeting the energy vertical globally. Between November 2021 and April 2022, APT31 was observed targeting the Russian energy sector, the post revealed. “This activity is congruent within the timeframe of ongoing negotiations between Russia and China to increase their energy alliance, notably through a new gas pipeline, as well as China’s considerations to increase their investment in Russian energy companies to secure Beijing’s energy supply, and allow Russia to mitigate the impact from lower energy sales to Europe.” 

The Sekoia post added that China-nexus intrusion sets also targeted European companies involved in the South China Sea region energy projects. This included APT40’s targeting of the German company Skyborn Renewables GmbH. during the ScanBox campaign carried out between April 2022 and June 2022, and Mustang Panda targeted a Swiss organization in the energy and engineering sector in September 2022. 

In 2022, Iran-nexus intrusion sets, including Lyceum, UNC3890, and MuddyWater were observed continuing targeting the energy sector, notably in Italy, and Russia, Sekoia identified. “We assess that the Russo-Ukrainian conflict was another driver for Teheran’s targeting of the energy vertical in 2022, notably to keep pace with the shift the conflict represented for the global energy market. Of note, in October 2022, Russia and Iran signed a memorandum of understanding for energy cooperation, specifically an oil-gas swap. However energy-related entities based in Israel and Saudi Arabia consistently remain primary targets of Iranian cyberespionage activities.” 

The post also assesses that the maritime dispute between Israel and Lebanon, notably pertaining to the Karish gas field, as well as gas pipeline discussions between Israel and Turkey are likely to be drivers for continuous Iran-nexus regional cyberespionage activities targeting energy-related organizations and individuals, possibly including involved European stakeholders.

Additional State-nexus cyberespionage campaigns targeting the energy vertical include North Korea-nexus Kimsuky, Lazarus, and Andariel intrusion sets. The latter was reported to have targeted an unidentified engineering firm involved in the energy and military sectors, as well as energy providers in Canada, Japan, and the U.S. between February and July 2022.

Sekoia assesses that energy being a possible leverage in the Euro-Russian relationship was plausibly part of Russia-nexus intrusion sets’ remits. “In April 2022, ESET reported on a malicious cyber campaign by Sandworm targeting an unnamed Ukrainian energy provider’s electrical substation, with the malware Industroyer2, a variant of the Industroyer malware used against Ukraine by the same intrusion set in 2017. In addition to Industroyer2, this intrusion set leveraged destructive malware families. Based on CERT-UA information, the attack was thwarted,” the post added.

The energy industry faced a significant increase in operations conducted by self-claimed hacktivists groups, the post identified. This activity is deeply circumstantial and mainly fueled by the outbreak of the Russia-Ukraine conflict. For the most part, these hacktivist campaigns consisted of DDoS (distributed denial of service), data disclosure operations, and defacement. 

Over the past year, Sekoia identified 34 instances of ransomware groups engaging in malicious campaigns in the energy sector in Europe, compared to 30 known attacks in 2021. “This includes data collected from dark web ransomware extortion sites and open source data. The observed incidents notably involved activities pertaining to the electricity supply and distribution, electricity generation and distribution, professional services specialised in the energy sector, storage and transport of energy products, oil and gas services, logistics services to the oil industry, and renewable energy solutions,” they added.

“The energy sector is exposed to the increasing trend of multiple extortion ransomware attacks,” Sekoia said. “Impacts on these environments, such as encryption, can affect the continuity of critical operations on a national level and have widespread consequences on large communities. Also, data exfiltration can lead to the collection, selling, and exploitation of sensitive data such as intellectual property. We add to that financial and reputational damage.”

Almost all the observed cases involved the use of data exfiltration and double extortion technique, resulting in follow-up campaigns and contributing to hindering monitoring efforts by the cybersecurity community, the researchers added.

“Based on our observations, groups including LockBit, BlackCat, RagnarLocker, Cuba, and Hive were the most active collectives carrying out ransomware campaigns impacting the energy sector,” Sekoia revealed. “Most of these groups operate under the Ransomware-as-a-Service (RaaS) model in lucrative campaigns. We observed the BlackCat ransomware group, composed of Russian-speaking affiliates, claiming an increasing number of ransomware attacks targeting critical energy infrastructures in Western Europe in 2022.” 

The Sekoia researchers assessed that ransomware activities affecting the energy sector are still opportunistic by nature. “Of note, it is highly likely ransomware threat actors rely on the criticality of energy-related activities to ensure their ransom demands are met and even request a higher ransom. We assess the energy sector will remain a prime target for highly organised cybercrime actors including ransomware groups,” they added.

Sekoia added that hacktivists are likely to continue their ongoing structuring. “Support garnered by these intrusion sets by civil society and possibly State-related entities, as well as the increasing level of advancement of their capabilities will possibly durably impact the cyber threat landscape in the short term.”

“We also expect to continue observing cyber activities targeting the energy sector originating from China-nexus intrusion sets, notably for industrial espionage and intellectual property theft, highly likely targeting European entities involved,” the researchers said.

Last month, the U.S. Senate Committee on Energy and Natural Resources held a full committee hearing to examine cybersecurity vulnerabilities to the nation’s energy infrastructure. The committee also looked into the fact that energy resources are being used as a geopolitical weapon against the nation’s friends and allies, while its adversaries have increasingly begun using cyberattacks to infiltrate American infrastructure to disrupt energy security and the economy.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.