Energy infrastructures are complex systems with physical, topographical, and digital interdependencies with other critical infrastructures, such as transport, media communications, water, horticulture, finance, and networks. These support public authorities, focal and government authorities, and emergency services. A disruption in the typical activity of critical energy infrastructures can also negatively impact different infrastructures.

The energy sector is evolving with the latest digital transformation. Delivering energy has become a significant and essential deliverable whose availability has to be ensured at all times.

As energy providers strive to maintain this availability, they often overlook security practices. Many unsafe security practices are used in the name of speed and efficiency. Apart from this, the energy sector is being digitized and equipped with the latest technologies. This digitization has opened a window of opportunity for cybercriminals to exploit new attack surfaces.

Digitization has created new challenges related to cybersecurity in the energy sector. Cyber risks can impact almost every operation of the power plant due to automated controls, pressure sensors, heat sensors, IoT, etc.

Potential Threat actor associated with the energy sector

Advanced Persistent Threat (APT) groups are potential threat actors targeting the energy sector with modern and sophisticated attacks. APT attempt to steal sensitive information, which can aid in nation-state attacks and espionage

APT groups have compromised the following subsectors of the energy sector:

  • Nuclear Energy Development
  • Coal mining
  • Oil and Gas exploration and production.
  • Oil and Gas field services
  • Petroleum Sector

Apart from these threat actors, hacktivists and nation-state hackers have significantly impacted this sector and have caused many disruptive events that have led to devastating outcomes.

What makes the energy sector vulnerable to cybersecurity threats

Three general characteristics make the energy sector vulnerable to cybersecurity threats:

  1. The frequency of threats and threat actors has dramatically increased. The threat actors are now more inclined towards targeted cybersecurity attacks.
  2. The energy sector is moving towards advanced technological changes due to the exponential growth of the industry. The threat landscape has increased due to this advancement and has drawn the attention of the threat actors. It’s an attractive target for nation-state hackers and cyber espionage.
  3. Cybersecurity attacks have become more sophisticated and are evolving every day. These cyber-attacks may come from different threat actors such as organized crime groups, hacktivists, nation-state hackers, cyber terrorists, and various APT groups. These threat actors exploit complex vulnerabilities that negatively impact the target in terms of financial loss, reputation, etc.

Source: Powermag

Notable Cybersecurity attacks on Energy Sector

Below are some of the most notable cybersecurity attacks on the energy sector that left an intensive impact on the energy industry.


CrashOverride is malware that has affected a single transmission level substation in Ukraine’s power grid on December 17, 2016. The incident caused the capital of Ukraine, Kiev, to plunge into darkness, causing a blackout. The outage lasted for an hour.

According to different security researchers, the malware compromised Industrial Control System (ICS).

Diving into CrashOverride malware capabilities, we find a modular framework that consists of the following components:

  • An Initial Backdoor
  • A loader Module
  • Different supporting modules
  • Several Payload Modules

The critical components that infect are the backdoor which provides initial access to the system. This loader module enables the effect of the malware on the design and the supporting modules to execute various components of the malware.

Source: Dragos


GreyEnergy is an Advanced Persistent Threat (APT), which has impacted energy companies in Ukraine and Eastern European countries. Security researchers have linked GreyEnergy with Black Energy, an APT targeting Ukraine and leaving 230,000 people without electricity in December 2015.

The main target of this group was energy companies in Ukraine and Poland that are running industrial control systems on SCADA software.

Grey Energy infects the victim systems by using spear-phishing emails that trick the users into enabling macros that are malicious and compromise the public-facing servers. The threat actors use the vulnerable servers to gain initial access to the internal network and then pivot across the network to escalate privileges.

The threat actors also used publicly available tools such as PsExec, WinExe, and Mimikatz to perform malicious activity across the network.

Source: welivesecurity

Havex Malware

Havex is malware that has been targeting the energy sector since August 2012. Havex was distributed via spear-phishing attacks and spam emails. The victims identified were mainly from the US and Europe.

Havex served as a remote access trojan (RAT) to infiltrate and modify legitimate software in SCADA and ICS suppliers by adding specific instructions to run code that contained the Havex malware.

Furthermore, the malware collects information and sends it over command and control servers. The data collected includes the victim’s OS, version, computer name, list of files, and directories.

According to research, the malware can download and execute component files, leading to enumerating the entire connected network resources.

The primary purpose of this malware was to act as an intelligence-gathering tool for espionage purposes.

Source: Trendmicro

Operation Sharpshooter

Operation Sharpshooter was an espionage campaign disclosed in December 2018. The campaign targeted nuclear, defense, energy companies based in Germany, Turkey, the US, and the UK. The infection was able to spread among 87 organizations in the countries, as mentioned earlier.

According to a report by Mcafee, this campaign uses an in-memory implant that, once installed, obtains a second-stage implant known as “Rising Sun.” The Rising Sun implant is used to carry out further exploitation. The operation distributed malicious documents using a Dropbox service. The document contained a malicious macro used to inject the sharpshooter implant into the Microsoft Word memory. Once the macro was executed, the downloader retrieved the second stage implant known as “Rising Sun.”

Source: Mcafee 


TRITON/TRISIS is a dangerous malware initially discovered in mid-November 2017 when it hit a petrochemical company in Saudi Arabia. The malware targeted the Safety Instrumented Systems (SIS), specifically Schneider Electric’s SIS, the Triconex Emergency Shut Down (ESD) system.

In June 2017, hackers were able to halt plant emergency shutdown by taking over the plant’s safety instruments. The physical controllers and their associated software are the last lines of defense against life-threatening incidents.

Triton targeted the Triconex safety controller. Triconex safety controllers are used in more than 18,000 plants, including nuclear, oil, gas refineries, chemical plants, etc. Hackers were able to achieve initial access by spear phishing. After that, the hackers were able to reach the leading network and finally targeting the SIS controllers.

Source: McAfee

The hackers involved in the TRITON/TRISIS used their custom-built tools, and some open-source tools include using Mimikatz and SecHack, to steal credentials. 

How to protect against cybersecurity threats associated with the Energy Industry

Cybersecurity risks and threats associated with the energy sector can be easily reduced if organizations take proactive steps in securing their infrastructure from all aspects.

Strategic Alignment of Threat Intelligence 

Based on the threats and risks the organization associated with the energy sector face, they must develop a proactive approach by hiring analytical teams that monitor and analyze the threats across the industry and different regions, including intelligence on various vulnerabilities. They should keep other factors in mind, such as legal, political, and economical.

Strategic intelligence provides awareness; helps make strategic action and response plans; and allows organizations to rethink technology, processes, operating models, and policies.

An organization should have a well-tested incident response plan capable of dealing with and minimizing the impacts of large-scale and disruptive cybersecurity threats and attacks.

For organizations that are planning to adopt a strategic threat intelligence program should do the following:

  • Identify loopholes and potential indicators of compromise based on current threat intelligence.
  • Based on threat intelligence, create awareness among staff, employees, third-party vendors, or anyone directly or indirectly associated with the organization.
  • The threat intelligence program should be robust and effective, including identification, strategic threat intelligence, operational and tactical procedures.
  • Incident response plans should be clearly defined and aligned with the organization’s goals and objectives for dealing with various sophisticated and complex threats.

Organizations should train their critical stakeholders on product development and information sharing best practices.

Closing Remarks

Remaining aware of threats and attacks associated with the energy sector, an organization’s proactive approach to dealing with such attacks can save them from many destructive events. Energy companies of all sizes must align their business needs and cybersecurity measures very carefully to minimize the impact of threats that cause various prolonged disruptions.

If you happen to be in the energy sector and worry about your cybersecurity posture, we suggest you opt for VAPT (Vulnerability Assessment and Penetration Testing ) services. VAPT is a strenuous task that requires a lot of critical thinking and resources. It may seem like overkill, but you’ll thank us! If you have questions on hiring an ethical hacker or would like to move forward with Vulnerability Assessment and/or Penetration testing, then Cybersecurity Crusaders can take care of your organization’s security posture, ensuring that your business remains protected against evolving and advanced security threats. Avoid becoming the next target of cybercriminals.

Contact US :