Lights can go out: Espionage & disruption in the energy sector (1/5)

The energy industry has been the target of an escalating number of state-sponsored cyberattacks. Hunt & Hackett has closely watched this trend and the ones behind these critical infrastructure attacks: Advanced Persistent Threat groups (APTs). To cope with this increasing threat, it is vital to understand who your adversary is, where its motivation lies and what is in its arsenal. This series of blogs will see to it that you find the answers you are looking for. It is investigated what motives lie behind the attacks and the identity of the most active attacking nations is revealed. In the first blog, the energy sector and its challenges are analyzed to find an answer to the question ‘Why is this sector such a prime target?’

In 2019, the energy industry ranked as number one target for cyberattacks (and continued to be an increasing heavily targeted sector), with around 16% of all attacks occurring in this sector, as figure 1 shows1. To understand this apparent threat, it is crucial to know both the hunter and the prey. Examining both enables one to see and appreciate the value of the industry to adversaries. The reasons for adversaries to target the energy industry are even broader-ranged and more complex than for example the agriculture- or maritime industry. What’s different about the energy sector is that it’s interconnected with almost all other industries and even society as a whole. The energy sector literally fuels all industrial, IT and administrative processes. As a result, it plays a key role in many of the current geopolitical, economic and environmental issues, as well as military conflict situations. For adversaries, gaining access to a country’s energy grid or supply, which has a crippling effect on the ability to wage war or even run society as a whole, is like hitting the jackpot. It’s no surprise then that the energy sector is considered critical infrastructure.


Most cyber-targeted industries in 2019 as identified by Hornet Security

Figure 1 – Most cyber-targeted industries in 2019 as identified by Hornet Security.


So, what does the preyed upon sector in question look like? Overall, the Energy Industry encompasses three categories: (1) the exploration, production and refinery of energy as well as (2) the marketing, storage, distribution and transportation of energy and (3) the delivery of energy equipment and services2. Two forms of energy that flow through these categories can also be identified: non-renewable energy and renewable energy. Together, these forms of energy, fuel the world as we know it: trains, airplanes, cars, schools, hospitals, factories, offices, homes, etc.. As such, the energy industry is part of any nation’s critical infrastructure. As stated before, this is what makes this industry unlike others and why it has a deviating threat landscape as well. The subsequent cyberattacks that occur in the energy industry can generally be divided into different categories: (1) espionage and information theft, (2) disruption as a result of a financially motivated attack and (3) disruption as a (geopolitical or military) weapon, as is further outlined in the table below.


Different types of motivations for cyber-attacks
Espionage and Information Theft Disruption as a result of a financially motivated attack Disruption as a weapon
Espionage and information theft are the motivations of actors who seek to enhance their present level of knowledge and acquire new technologies, trade secrets or other relevant business information for their benefactors. Governments influence or direct their APTs to infiltrate the IT-networks of its adversaries to extract business sensitive information or learn about the developments the target is making. In doing so, the instructing party can avoid lengthy R&D processes and/or gain an edge over its competition. All this while the attacking party faces a low risk of getting caught, due to difficulty of attribution and the remote nature of cyber--attacks. APTs often use the latest tools and tactics for these types of attacks. Espionage and information theft types of cyber-attacks are often quite sophisticated. Disruption in cyber-security generally has one of two purposes. The most common purpose is financially motivated disruption. APT groups infiltrate computer systems of organizations and encrypt the data that is on it. The attacker threatens to publicize sensitive information or just block access to the systems necessary to run the business. These attacks are so called ransomware attacks.

The sophistication level of disruptive attacks such as ransomware varies from generic and opportunistic to (advanced) targeted attacks. The recovery from such attacks is often complicated and time consuming as the encryption applied by the attackers is generally difficult to circumvent, leaving organizations to rely on their backup systems (which are typically compromised as well). In an upcoming blog, Hunt & Hackett will dive deeper into the world of disruption.
The second purpose of disruption is about (temporary) disablement, malfunction and destruction to seize a tactical advantage. This means that through the deployment of malicious software, computer systems are (temporarily) limited from fully functioning or destroyed entirely. Information is manipulated, destroyed or made inaccessible. For nation-states, this could be a very powerful weapon to divert attention from or support (military) operations. In cases of political tensions or all-out war, entire countries can be put on the back foot or taken out through the disablement of their critical infrastructure.
The power grid, dams, transportations, whole countries could be (temporarily) ‘shut-off’. Various APTs are believed to play the long game by gaining access and creating lasting persistence in critical infrastructure organizations of targeted nations to act as an insurance policy enabling the offensive nation to put pressure on targeted nation(s) when in need.
Compromised Norwegians The Colonial Pipeline Hack Ukraine Power Grid Hack

Table 1 - The different types of motivations for cyber-attacks.

But what makes the energy industry a prime target for threat actors? Why do we see so many cyber-attacks with motives as they are featured in table 1? To fully understand the threat, it is of the utmost importance to know you adversary and yourself. As the legendary general Sun Tzu once famously stated: “if you know the enemy and know yourself, you need not fear the outcome of a hundred battles.” This is why Hunt & Hackett doesn’t just examine the threats to the energy industry, but also drafts up a profile of the ongoing trends in the sector. By spotting the trends, one can determine what the strategic focus of adversarial APTs looks like. The three most important trends Hunt & Hackett has spotted in the energy industry are as follows:

  1. The ongoing energy transition;
  2. Digitalization of the industry;
  3. Decentralizing energy supplies.


Energy transition

Today, the energy industry is responsible for around 60% of the global greenhouse gas emissions. To cut down this enormous contribution to global warming, the industry needs to undergo a drastic transformation. The ongoing metamorphosis means transitioning away from fossil-based energy production systems, fueled by oil, natural gas and coal, and towards renewable energy sources. These include wind, solar and hydropower, but hydrogen and nuclear energy can’t be left out of the equation. The latter two, will be covered later in this blog (nuclear), and later in this series (hydrogen).

The transition in progress requires the optimalization of existing techniques, but even more the invention of new technologies. Some methods, like solar and wind power, are easily scalable. However, the problem here is that there is not yet a viable way to store energy derived from these methods in peak-moments for use in off-peak moments. Particularly for seasonal changes, as in the summer, solar power peaks, but its not possible (yet) to store this energy all the way through winter, when energy is most needed. Only through lengthy Research & Development projects, companies can try to create new ways to produce and store renewable energy through the seasons. On top of that, these R&D projects require unprecedented levels of investment. Market incumbents are not too eager to invest in new long-term projects to develop technologies when it is unclear how successful the outcome is going to be, which is often the situation. To do such research requires world class (technical) universities and research centers while the application, innovation and commercialization of such knowledge, Intellectual Property (IP) and technologies requires well-established start- and scale-up innovation and funding ecosystems that few countries have.

Governments recognize these problems and are looking for ways to effectively solve or bypass them. The renewable energy sector is being developed as a new frontier by universities, researchers, visionaries, innovator and (venture capital) investors that operate in parallel to the traditional (non-renewable) energy market. As innovation strives and the renewable energy market is maturing, governments are starting to see the benefits, as well as the effect it has on the economic and geopolitical landscape. Other governments do not have the patience, capital, infrastructure or will to invest heavily in renewable energy R&D projects, but prefer a quicker and cheaper way: by obtaining it directly from other nations.

In many countries, the mandate of intelligence agencies reaches beyond politics or national security. Most agencies are tasked with the safeguarding and enhancing the economic well being of the state, which means they actively hunt for trade secrets and intellectual property (IP) created by others in order to complement and enhance the existing knowledge and capabilities of their nation. The most efficient way to get this done, is by deploying cyber-force, or Advanced Persistent Threat groups (APTs). APTs have great advantages such as operating safely from a distance, low risk of getting caught, few consequences if they are being caught and being very cost effective. The cost efficiency lies in the fact that building cyber-capabilities requires investments in capabilities that can be easily deployed over a wide variety of operations while alternatives typically require heavy investment into single operations. This renders offensive cyberoperations highly scalable. If this wasn’t reason enough for nations to build offensive cyber-capabilities for economic gain, the risk of proper attribution is also very low and possible consequences are often mild. Hunt & Hackett has observed a sharp increase in the deployment of APTs in the energy industry over the last few years.


Nuclear Energy

There is no current discussion on the energy transition without mentioning the nuclear option. Many oppose nuclear energy for the danger it poses to the environment and the people living in its vicinity. Disastrous events like the meltdowns in Fukushima and Chernobyl have fueled opponents’ distrust gravely. Also, there is the ‘waste problem’. Nuclear waste’s radiation remains dangerous to life for thousands of years. Storing this waste is often regarded as saddling up future generations with today’s problems. Scientist are looking for ways to efficiently and safely store the nuclear waste or maybe even find a purpose for it. Another argument against nuclear energy is the tremendous cost of building powerplants. Proponents of nuclear energy however argue that nuclear power is the only way to safe the world from the devastating effects of the use of fossil fuels, before it is too late. Another major argument in favor of nuclear power over renewable resources is that the power generated is not dependent on seasonal circumstances, such as solar power. This takes away the problem of having plenty energy on peak-moments but needing the power off-peak.

The US, France, China, Russia and South Korea are the biggest generators of nuclear power and have the most (innovation) knowledge and experience in this field. China has nearly doubled its generation capacity between 2016 and 2020 and has plans to build another 150 nuclear reactors4. Also, the UK is betting on a bright future for nuclear energy as well. Recently, the Brits announced a large investment in Small Modular Reactors (SMR) – smaller, cheaper nuclear plants. Other, less advanced countries like Iran and North Korea, who are emerging nuclear power countries, are seeking to upgrade their nuclear power capabilities. That these countries are not patiently awaiting legitimate R&D processes but are rather taking the illicit route can be derived from the fact that Teheran- or Pyongyang-sponsored APT-groups are often observed trying to infiltrate organizations that concern themselves with nuclear technology and knowledge. The latest example of this was the hack of a high-profile South Korean nuclear thinktank. The attack was attributed to Kimsuky, an APT that is likely an extension of the North Korean regime5.

Table 2 - The nuclear energy landscape



Another challenge the energy industry is currently facing, is digitalization, part of industry 4.0 (see figure 2). Increasing the use of the Internet of Things (IoT) offers new options to the production and management of available resources. At the same time, governments and regulatory institutions are attempting to push more accurate measuring systems and more efficient ways of generating and consuming energy, raising the pressure on companies. By doing so, governments hope to get a hold on the heavily polluting energy industries and to develop optimized policies based on its measured output, which promises to favor the whole economy. However, as an unintended consequence, the increased digitalization of the industry has given adversaries a much broader attack-surface, as well as access to systems that directly control the industrial side of the business. In a way this is ‘pure gold’ for APTs with disruption and sabotage missions. Hacker groups are always looking for ways in, digitalization gives them more doors to knock on. This means potential trouble for critical infrastructure, because it makes it much easier for attackers to establish an initial foothold in the computer systems of targeted organizations. Adding to that, the impact of potential breaches grows as well: when systems are interconnected, attackers have a much broader range of targets and can take over control of large parts of companies, reaching from production facilities to administrative and management departments. This is especially alarming news for organizations active in the energy- or related industries, because their critical value to society makes them a target for APT’s seeking disruptive leverage.


Industry 4.0 in the energy industry

Figure 2 – Industry 4.0 in the energy industry.



Traditionally, energy was distributed to consumers via large central power stations. Nowadays, this process is significantly more decentralized, with more producers in the field and consumers also being producers (so-called prosumers). Energy is flowing both ways, as is shown in figure 3 as well, for example via batteries, solar panels and small wind turbines. On the one hand, the decentralization of energy can contribute to a more sustainable energy economy because of the use of renewable energy sources and because energy can be stored in a much more efficient way. Efficiency increases because the generation of power is closer to the energy consumer, reducing the inefficiencies that occur during centralized transmission and distribution6. On the other hand, such a decentralized energy grid makes the systems significantly more complex and unpredictable, presenting a big challenge for countries that are trying to get a grip on their energy infrastructure. These decentralized grids are not (yet) capable of providing sufficient energy throughout the year, due to the lack of storage possibilities during peak-moments (summer), maintaining the need for a centralized grid too, which complicates the energy system even further. To make things worse, just as with digitalization, decentralization offers adversaries a much broader attack-surface, thus increasing the chance they will find weak spots to exploit. On the contrary, a decentralized grid in combination with (local) renewable energy sources have the future potential to enable countries to become less dependent on foreign energy sources, giving them a stronger geopolitical position. Today, however, this is still a distant future.


An overview of today’s and tomorrow’s power market

Figure 3 – An overview of today’s and tomorrow’s power market.


In conclusion

For the energy sector, all types of motivations for cyber-attacks mentioned above are relevant. Companies invest heavily in finding solutions for the earlier explained challenges. The R&D projects meant to lead the way are nothing more but prey to APTs on the hunt for innovation, (trade) knowledge and (political) leverage. On the other hand, when a country has the power to disrupt another country’s energy infrastructure, the outcome of a hypothetical war is not hard to imagine.

When protecting the energy industry, the focus should be broader than just this industry itself. Connected industries, such as the technology and critical infrastructure industries, have great overlaps with companies active in the energy sector. The threat actors active in related industries are a risk to energy as well. Especially when looking at the long-term, APTs active in adjacent industries can easily hop over to energy.

Hunt & Hackett is aware of 255 APTs (of the ~430 known APTs to Hunt & Hackett in total), that have, now or in the past, successfully attacked the energy sector and related industries. Trying to find their way in, the APTs have deployed 2.087 Tactics, Techniques and Procedures (TTPs). This considerable number of APTs and their attacking methods show that nations are highly interested in attacking the energy sector. Hunt & Hackett applies an adversary central approach to defend its clients from cyberattacks, because only when you know both yourself and your adversary, you will be victorious.


  ATPs TTPs Tools
Energy, Critical Infrastructure, Research and Technology 255 2.087 1.980
Energy and Critical Infrastructure 122 1.476 1.451
Energy 118 1.419 1.406

Table 3 - The number of APTs, and the TTPs and Tools they used in energy and related industries as observed by Hunt & Hackett.

In the next blog on the energy sector, the countries that are the most active in the deployment of APTs are examined and it is explained why these countries resort to cyber-attacks in the energy industry so eagerly.





Keep me informed

Sign up for the newsletter