As a continuation of its earlier research report, Resecurity released new threat intelligence research highlighting threat actors targeting energy installations in North America, Asia, and the European Union, including nuclear facilities and related research entities. Energy firms are facing escalating cyber threats from hacktivists, ransomware groups, and nation-state actors, particularly those linked to China, Iran, North Korea, and Russia. These attacks, often driven by geopolitical tensions and ideological motivations, have primarily focused on cyber-espionage rather than physical disruption.
However, increasing IT-OT convergence, cloud adoption, and the rise of IIoT have made operational networks more vulnerable. Ransomware actors now target OT (operational technology) systems to halt energy production and demand higher ransoms, while AI adoption in the sector introduces new security risks. Notably, the nuclear sector is at the center of this emerging threat landscape, with both energy firms and tech giants exploring AI-nuclear integrations. Meanwhile, U.S. power grids are becoming more susceptible, with attack surfaces expanding rapidly, according to NERC.
The Resecurity report documents the HUNTER unit’s latest findings of malicious activity targeting critical infrastructure organizations. The report highlights how these cyber threats continue to escalate, with energy firms remaining prime targets due to their strategic importance. Against a geopolitical backdrop fractured by ongoing conflicts in Ukraine and Gaza, HUNTER’s findings underscore how military hostility increasingly spills over into cyberspace. The report also explores how ancillary cybercriminal ecosystems play a role in supporting the malicious targeting of energy companies, amplifying the threat landscape.
The most prominent threat actors recently identified by HUNTER as actively targeting the energy sector include RansomHub/DragonForce (ransomware); HellCat (ransomware); Lazarus Group (nation-state); Cyb3rAv3ngers (nation-state); S16 (hacktivist); and Noname057(16) (hacktivist).
Resecurity detailed that based on the compilation of threat actors, defenders should be aware of HellCat’s tactics, techniques, and procedures (TTPs), specifically their reliance on infostealer attack chains, with an emphasis on Lumma malware. Given this targeting activity, defenders should regularly conduct comprehensive dark web monitoring to audit their personnels’ and IT/software supply-chain partners’ exposure to credential compromise. The latter is particularly vital as SecurityScorecard and KPMG research revealed that the IT and software supply chain is the energy sector’s weakest link.
The report recognized that hacktivism is another prevailing threat targeting energy firms, with ideologically motivated adversaries linked to Russia and various Gaza-nexus adversary groups attempting to build credibility by publicizing alleged compromises of various victims’ OT networks. Most concerning, nation-state espionage actors linked to China, Iran, and North Korea have also increasingly been observed targeting the energy sector, including nuclear facility personnel.
These cyber-espionage campaigns are primarily driven by geopolitical considerations, as tensions shaped by the Russo-Ukraine war, the Gaza conflict, and the ‘great power struggle’ of the U.S. with China are projected into cyberspace. With hostilities rising, potentially edging toward a third world war, rival nations are attempting to demonstrate their cyber-military capabilities by penetrating Western and Western-allied critical infrastructure networks. Fortunately, these nation-state campaigns have overwhelmingly been limited to espionage, as opposed to Stuxnet-style attacks intended to cause harm in the physical realm.
A secondary driver of increasing cyberattacks against energy targets is technological transformation, marked by cloud adoption, which has largely mediated the growing convergence of IT and OT networks. Moreover, OT-IT convergence across critical infrastructure sectors has made networked industrial Internet of Things (IIoT) appliances and systems more penetrable to threat actors. Specifically, researchers have observed that adversaries are using compromised IT environments as staging points to move laterally into OT networks.
Compromising OT can be particularly lucrative for ransomware actors because this type of attack enables adversaries to physically paralyze energy production operations, empowering them with the leverage needed to command higher ransom sums. In cyber-military or cyber-terroristic scenarios, however, the sabotage of OT systems can be catastrophic for physical environments and human life.
Another technological trend that has transformed the threat environment for energy firms is rapidly advancing AI adoption. Not only has AI lowered the barriers to entry for certain types of attack campaigns, but the growing integration of AI with energy sector networks has introduced a maelstrom of new cyber-risk scenarios.
This trend has most notably impacted the nuclear sector, with Constellation Energy, the largest nuclear energy conglomerate in North America, announcing in 2022 that they were ‘looking at AI to decrease our customers’ energy costs and to optimize the many tasks they perform on a regular basis.’ At the same time, recent announcements from AI and cloud-focused Big Tech firms like Microsoft, Meta, and Google indicate that they have plans to tap nuclear energy to power their future data centers.
Beyond the emerging nuclear-AI nexus, the North American Electric Reliability Corporation (NERC), a non-profit international regulatory authority that enforces industry standards in the U.S. and Canada, warned last year that American power grids are becoming increasingly vulnerable to cyberattacks. According to NERC, the number of susceptible points in electrical networks is growing by about 60 per day.
The Resecurity report detailed that the compromise of utility companies, which are fourth-party victims of the primary MOVEit managed file transfer breach, highlights the magnitude of cyber supply-chain risk that energy operators must manage today. By breaching MOVEit, Cl0P was not only able to compromise the MFT platforms’ customers, but third parties of those customers as well (fourth parties), exposing a downstream cascade of impacted vendors and clients.
Beyond Cl0P-nexus activity, threat actors connected to the HellCat ransomware group have also been prolific leakers of energy company data. Notably, HellCat claimed responsibility for the November 2024 intrusion of ransomware attack against Schneider Electric, a French multinational energy management firm. Notably, the HellCat ransomware attack marked the third time Schneider Electric had been breached over the preceding 18 months.
The Federal Bureau of Investigation (FBI) issued a warning to private industry in July 2024, highlighting the growing cyber threat facing the U.S. renewable energy sector. According to the agency, threat actors are increasingly attempting to disrupt power generation, steal intellectual property, or hold critical operational data for ransom, motivated by geopolitical agendas or financial gain.
The FBI further emphasized that declining implementation costs and increased incentives for clean energy development have made renewable energy infrastructure an attractive and expanding target for cybercriminals and nation-state actors alike.
Resecurity detailed that other notable energy sector data leaks and access listings observed by Resecurity, and which are at heightened risk of being weaponized by ransomware actors and other threat actors, include 30 GB of confidential data from Qatar Gas, ADNOC Offshore, and Bell Energy; Office 365 Exchange Access for a U.S. energy firm that generates $6 billion in annual revenue; and network remote code execution access to ‘the largest energy company in North Africa.’
The report highlighted alarmingly that hackers have also escalated their targeting of the nuclear sector. These attacks have ranged from intricate job recruitment and phishing schemes targeting nuclear sector personnel to allegations of stolen data, access listings, and claims of successful DDoS attacks.
Over the last year, the most notorious adversary confirmed to have attacked nuclear sector targets is Lazarus Group, a North Korean state-backed advanced persistent threat (APT) group that has gained infamy for its high-ticket crypto hacks.
Last December, Kaspersky documented their findings from a Lazarus campaign they dubbed ‘Operation DreamJob.’ An investigation conducted by Kaspersky revealed that several employees from a nuclear-related organization were ‘infected via three compromised archive files appearing to be skill assessment tests for IT professionals.’ This ongoing campaign ‘leverages a range of advanced malware, including a newly discovered modular backdoor, CookiePlus, that was disguised as an open-source plugin,’ according to Kaspersky.
Combing the dark web, HUNTER analysts discovered a variety of alleged nuclear-related access listings, data leaks, and claims of successful DDoS attacks. HUNTER findings include Malaysian Nuclear Agency database leak, Emirates Nuclear Energy Corporation data leak, VPN access for a Greek nuclear energy company, Electric Power Research Institute (EPRI) database, GE network logins, including access to nuclear power plants, DDoS attack on Framatome in France, and DDoS attacks on Doel and Tihange nuclear plants in Belgium.
In response to these growing threats, the U.S. Department of Energy (DOE) issued new cybersecurity guidelines for electric distribution systems and distributed energy resources (DER) in 2024. These guidelines, developed in collaboration with the National Association of Regulatory Utility Commissioners (NARUC), aim to provide a common framework for reducing risk and improving the cyber resilience of critical infrastructure.
In conclusion, the Resecurity report warns about the increase in targeted cyberattacks against enterprises in the energy sector worldwide. Some of these attacks represent much larger campaigns designed to target country-level infrastructure, acting as tools for geopolitical influence. It is expected that nation-state actors and foreign intelligence will leverage this approach as a new generation of warfare in the future, where the role of cybercriminal actors may be significant, enabling further cyberattacks and providing infrastructure and resources to conduct offensive cyber operations.
