Threat Intelligence Blog

Posted July 18, 2019

In the first installment of this series, we will explore the different threat actor groups that target the energy sector.

Every day, we rely on energy to drive to work, heat and cool our offices, conduct our business, and power the internet. Without it, we would be powerless to continue our livelihoods. Composed of power supply, oil and gas exploration, renewable energy research and delivery, nuclear energy, and more, the energy sector in the United States is critical to the industrial success of the nation. In 2018, the industry generated $238 billion in revenues, up $25 billion from 2017. The lucrative nature of the industry along with its financial ties to the legislative world—lobbyists have spent $85.3 million so far in 2019— make it highly controversial and bipartisan, as well as a prime target for terrorists and criminals alike.

With heavily automated and loosely protected processes, networks, and organizations, the energy sector is easily vulnerable to attack.. There are various types of threat actors who deploy targeted attacks against the energy sector, each with their own ulterior motives. Couple this with low investments in digital risk management, one of the US’s top 16 critical infrastructures is at huge risk.

Types of Threat Actors Targeting Energy Companies

Advanced Persistent Threat (APTs) Actors

A nation-state successfully compromising the energy sector opens the door to espionage, political leverage, power grid control, and theft—in many nation-state cases, theft of intellectual property.

In 2017, Russian APT group DragonFly 2.0 hacked and compromised US and European energy companies, giving the threat actors enough control of power grids that blackouts could’ve been induced. In 20+ cases, DragonFly 2.0 gained access to interfaces in which energy engineers doled out commands to equipment directly supplying energy to homes and businesses. Though APT attacks have been carried out on Ukranian power grids in 2015 and 2016 causing blackouts, a breach so close to home had not yet been discovered.

In typical APT fashion, Dragonfly remained undiscovered on company networks since December 2015. The group gained access through a phishing attack, harvesting credentials from compromised computers that enabled them remote access to critical machines. This breach allowed the APT group to collect screenshots of power grid control panels—positioning them to sabotage critical infrastructure. Though the group never acted on this capability, researchers believe that they were waiting on political motivation to deter the US from using its own powerful cyberwarfare against Russia in case of armed conflict or political strife.

Cyber Criminals

Cyber criminals are in it for the money, and the large revenues and investments into energy and power organizations makes targeting them a no-brainer —whether through ransomware or Distributed Denial of Service (DDoS) attacks, actors can gain access to the large coppers of the energy industry. Unfortunately, cyber criminals capitalize on the energy sector in times of crisis.

In October 2018, North Carolina utility provider ONWASA was compromised by the Emotet malware strain in the midst of Hurricane Florence recovery. After bringing in security consultants to remove the malware quickly, ONWASA was also hit with ransomware strain Ryuk just a week and a half later. Though witnessed by their IT department, they could do little to contain the virus — it was spread throughout the network quickly. The utility provider refused to pay the ransom, working instead with the FBI and DHS to determine a course of action. Thankfully, the organization’s utility service was not interrupted by the attack.

If ONWASA did have a water or power outage for an extended period of time, the effect would be exponential. One small outage at a water pump causes a cascade of events:

  1. Loss of access to safe drinking water
  2. Lack of water for sanitation and hygiene
  3. Halt of wastewater treatment
  4. Lack of preparatory measures to react to the outage

Translating these consequences over a more densely populated area means loss of viable drinking water for millions. An attack after a natural disaster proves very concerning for the utility provider and its customers; the cyber attack is surely not a coincidence. ONWASA is still recovering from the attack two years later, proving that preparing for inevitable cyber attacks should be at the forefront of the energy industry’s mind.


With similar motivations to APT groups, hacktivists typically target organizations which have differing ideological beliefs or unjust business practices. Due to the highly politicized and bipartisan nature of energy companies mining natural resource and energy production, the energy sector is a likely target for environmental and natural resource hacking groups.

Though we haven’t seen a large scale attack by activists in the energy space, it is likely that one will happen in future, especially given the polarization happening in the US political climate. If a hacktivist attack will occur, they are most likely to use a DDoS attack, like we have explored in the financial services space.

Whether after political vengeance or monetary gain, cyber threat actors will continue to penetrate critical infrastructure in the US. The energy industry’s low investment in cybersecurity technology could be devastating not only for enterprises, but for consumers in their everyday lives. By simply upgrading and updating operating systems, organizations can avoid being implicated in breaches and outages. In Part Two of Afraid of the Dark, will explore the attack vectors used by threat actors in the energy industry.



Additional Posts

CIA Tech Expo

LookingGlass cybersecurity experts will be exhibiting at the CIA Tech Expo this fall at ...

Zeek-Based Security Detection & Mitigation

Today, there are many open-source software projects that provide incredible value to solving a ...