When the lights go out: increasing cyber-espionage and disruption in energy industries (part 3).

All over the world energy industries are being targeted by (state-sponsored) hacker groups, or APTs. Hunt & Hackett dives into this trend in a series of blogs. This part of the series is a continuation of the previous part, where the most active attacking nations, China and Russia, were examined. This part, Iran and North Korea, as number three and four most aggressive countries in the energy industry, are scrutinized to find out what motivates their hostile behavior.

Iran

The Islamic Republic of Iran can be considered an energy superpower. It has one of the biggest oil and gas reserves in the world. Within OPEC, it was the firth-largest oil producer in 2020 and third-largest gas producer in 2019. This enormous supply of resources could enable Iran to become a flourishing and wealthy country. However, there is a lot holding back the former regional hegemon. International sanctions, mismanagement of government and corruption in the bureaucratic system are major issues that prevent the Iranians from reaching their full potential.

Despite the growing global demand, Iran’s oil production has been in decline since 2017 due to underinvestment and severe international sanctions. Weighing heavy on the Iranian economy are the sanctions imposed due to Iran’s execution of its nuclear ambitions. The agreement reached in 2015, also known as the Nuclear Deal, between the permanent five members of the UNSC plus the EU put a halt to Iran’s efforts to obtain a nuclear arsenal. As a result, international sanctions were lifted, and Iran enjoyed the freedom of relatively free trade again. However, in 2018, President Trump of the US withdrew from the agreement and both sanctions and the nuclear program resumed.

 

Figure 1 Former President Hassan Rouhani and Ali Salehi, head of the Atomic Energy Organization of Iran at the Iranian nuclear plant Bushehr.

 

Since then, Iran has experienced great difficulty with attracting foreign capital and technology. In the country’s Sixth Five-Year Economic, Cultural and Social Development Plan, it is stated that it wants to increase the share of renewables and clean power plants to a minimum 5% of its total capacity until the end of 2021. This indicates Iran’s willingness to transfer away from fossil fuels towards cleaner sources of energy. Their renewables industry is all but advanced, however, as the current level of clean energy used is estimated to be around 0,58% in 20181. Therefore, it is deemed unlikely that Iran has enough knowledge to make this transition on its own. More importantly, Iran is lacking the required financial capital to make serious progress in the energy transition. Iran needs foreign technology, capital and skills to become less reliant on the fossil industries. If they can’t get their hands on what they need through licit ways, due to sanctions, they will seek alternatives. Iran has the option of deploying a large group of APTs, recent history shows they are not reluctant to do so, who have the skills to infiltrate computer systems and steal intellectual property and other secrets.

The Iranian APTs are not seldom used to obtain information about nuclear arms or energy. Tehran is placing a lot of value in their nuclear program for both energy security and geopolitical power. Nuclear power forms the trump card of their position in international politics. With this in mind, it is no surprise that reports of cyberattacks attributed to Iranian APTs are often popping up. There are examples of attacks on Swedish high-tech nuclear organizations2 and British universities3 that were intended for the theft of intellectual property and other sensitive information dealing with nuclear technologies.

Next to stealing secrets, Iran also has shown interest in infiltrating the critical infrastructure of their enemies. In 2020, Iranian hackers attacked a water installation in Israel, seeking to disrupt their archenemy’s water supply. Israel claims that they were in time to detect and ward off the attack. This was the first publicly known attempt that Iran tried to disrupt critical infrastructure in the long-running Iran-Israel conflict4. Iran’s interest in disrupting critical infrastructure isn’t just limited to the Middle East. In 2013, Iranian hackers successfully tried to infiltrate a dam in New York, USA5.

A total of 25 Iranian APT-groups (now and in the past) that have been active in energy or related industries are known to Hunt & Hackett. To counter and to be prepared for their cyberattacks in the future, Hunt & Hackett tracks the TTPs and Tools they have employed in the past. At this moment, Hunt & Hackett has encountered 266 TTPs and 227 Tools used by Russian APTs in the relevant industries (see table 1).

THREAT RECORD SHEET - IRAN - ENERGY INDUSTRY

"The Middle Eastern Menace"
Full Name Islamic Republic of Iran
Known Aliases (total of 25) APT 33; APT 35; Bahamut; BlackOasis; etc.
Known Tools Used 266
Known Methods Used 227
EXCERPT OF PREVIOUS THREAT HISTORY
Date of Crime Description Offence Motivation
2013 A New York dam was hacked by Iranian threat actor Disruption
September 2018 Iranian hackers stole research on nuclear power Espionage; Information Theft
April 2020 Iranian hackers tried to increase chlorine to dangerous levels in Israeli water supply Disruption

Table 1 - Threat Record of Iran in the Global Energy and Related Industries.

 

North Korea

When the Soviet Union was dissolved in 1992, North Korea lost its most important trading partner, as well as access to subsidized oil from the communist giant. Since then, North Korea has struggled with meeting its energy demands and therefore suffers from chronic energy shortages. These shortages are primarily a result of the numerous sanctions that have been imposed on North Korea. The sanctions are the international response to North Korea’s prolific tests with nuclear weapons. The biggest part of the international community is trying to bind North Korean nuclear power by imposing sanctions severely limiting their ability to conduct trade. These sanctions restrict North Korea’s access to many types of energy. Still, the energy industry is of significant importance to North Korea, as coal exports are one of the main drivers of its economy.

As North Korea’s regime is centered around being self-reliant, it is looking for own ways to generate energy. It smartly uses its rivers to generate hydroelectric energy, but significant changes in weather conditions have resulted in a strongly decreased energy output. The call for finding new ways of generating energy were once emphasized in Kim Jong Un’s 2019 New Year’s address, in which he reportedly stated that he is looking for new ways to provide energy to his country, including tidal, wind and nuclear power. Although these are clean sources of energy, tackling global warming is not on the Supreme Leader’s agenda. He is a more concerned with North Korean self-sufficiency and solving the damaging energy shortages. For North Korea, it is all about energy security, also because a lot of their produced energy is absorbed by military activity. Therefore, it is not unlikely that Pyongyang is looking for ways to enhance their knowledge on renewables, also if that is not possible via the licit path…

 

Figure 2Satellite view of South and North Korea at night, illustrating the gap in development, infrastructure and the use of energy.

 

Well, the North Koreans must have nuclear energy, right? Despite North Korea having an estimated nuclear arsenal of 30 to 40 nukes, they don’t use nuclear power for energy generation. It is no surprise that a country that is so eager to establish energy security is looking for ways to use its nuclear capabilities for the benefit of their power supply. It is plausible, however, that they haven’t reached the required level of technology to do so. Acquiring the needed skills and knowledge would be a dealbreaker for the communist republic. As a result, there have been numerous reports of North Korean state-sponsored hackers targeting nuclear institutions for intelligence on nuclear technologies and other related IP.

There are reports that a North Korean hacker group, Lazarus, has hacked into nuclear and energy companies in several countries around the globe. Examples are Operation Sharpshooter and the attacks on an Indian nuclear power plant and the South Korean Atomic Energy Research Institute. Most of these attacks had the intention of stealing information on nuclear weapon technology, however, there are also reports of North Korean APTs targeting information that could benefit their nuclear energy industry. There also have been numerous accounts of North Korean hackers using ransomware or just stealing money from organizations all over the world for the purpose of scrambling up some money for their government, always in need of cash6.

Hunt & Hackett recognizes the North Korean cyber-threat to organizations working in the energy and related industries. In order to outsmart these digital adversaries, it is key to understand how they operate. Hunt & Hackett tracks their preferred attacking methods so you can build resilience against them. Hunt & Hackett has observed 7 APTs from North Korea targeting energy and related industries. In their effort, 133 TTPs and 221 Tools have been used, as is shown in table 2.

 

THREAT RECORD SHEET - NORTH KOREA - ENERGY INDUSTRY

"The Advancingly Powerful Threat"
Full Name Democratic People's Republic of Korea
Known Aliases (total of 7)

Kimsuky; Wassonite; APT 37; APT 38

Known Tools Used 221
Known Methods Used 133
EXCERPT OF PREVIOUS THREAT HISTORY
Date of Crime Description Offence Motivation
2019 Indian nuclear power plant infiltrated by hackers from North Korea Espionage; Information
October 2018 North Korean hackers target energy companies worldwide in Operation Sharpshooter Espionage; Information Theft
2021 South Korean nuclear energy institute hacked by North Korean threat actor Espionage; Information Theft

Table 2 - Threat Record of North Korea in the Global Energy and Related Industries.

 

Below (table 3) you can find a recap of the four most aggressive nation-states in the energy industry. The comparison shows their key objectives, their motives and other stats.
 
 
  China Russia Iran North Korea
Key strategic objectives
  • Energy Transition;
  • Meeting the Energy Needs of a Global Superpower
  • Geopolitical Power over Adversaries;
  • Modernization Fossil Industry;
  • Securing Income from Fossil Resources
  • Moving Away from Dependence on Fossil Resources;
  • Development Nuclear Program;
  • Sabotaging Enemies
  • Energy Security;
  • Development Nuclear Program
Level of cyber capabilities Medium/ High High Medium High
Known motives for cyber-deployment
  • Espionage;
  • Information Theft
  • Espionage;
  • Information Theft;
  • Disruption;
  • Financial
  • Espionage;
  • Information Theft;
  • Disruption
  • Espionage;
  • Information Theft;
  • Disruption;
  • Financial
Nature of risk to foreign ciritical infrastructure Mostly Espionage7 Disruption and Espionage8 Disruption and Espionage9 Disruption, Espionage and Financial10
#APT groups 69 27 25 7
#TTPs 524 254 266 133
#Tools 732 1.086 227 221

Table 3 – A comparison of the key objectives and statistics of China, Russia, Iran and North Korea.

 

In this blog, Iran’s and North Korea’s interest in the energy industry was analyzed and linked with the threat they pose as Hunt & Hackett has observed. Also, the 4 most active countries were compared, as shown in table 3. In the next blog, an overview is given of the energy industry in the Netherlands and how it’s threatened.

 

 Sources:

  1. https://www.mdpi.com/2071-1050/13/13/7328/pdf
  2. https://www.jpost.com/middle-east/iran-news/iran-seeks-tech-in-sweden-for-nuclear-weapons-swedish-intel-report-666792
  3. https://www.manageengine.com/log-management/phishing-attacks/iranian-hackers-attack-uk-universities-email-phishing.html
  4. https://www.timesofisrael.com/after-alleged-iranian-cyberattack-israels-water-authority-beefs-up-defenses/
  5. https://time.com/4270728/iran-cyber-attack-dam-fbi/
  6. https://www.bbc.com/news/stories-57520169
  7. https://us-cert.cisa.gov/china
  8. https://www.fpri.org/article/2021/07/understanding-russias-cyber-strategy/
  9. https://www.csis.org/programs/technology-policy-program/publicly-reported-iranian-cyber-actions-2019
  10. https://www.brookings.edu/blog/order-from-chaos/2020/12/23/building-resilience-to-the-north-korean-cyber-threat-experts-discuss/

 

 

Keep me informed

Sign up for the newsletter