Cyber criminals target the energy sector

By Caroline Bødkerholm, If

The energy sector is increasingly targeted by cyber criminals whose goal is to steal data, disrupt or even shut down power production and distribution operations. There are different factors that can increase the sector’s vulnerability and attractiveness towards cyber criminals.

One of the factors, that affects the vulnerability of the energy sector, is that all other industry sectors rely on the availability of energy. The stability of the energy sector is what keeps the wheels of the economy spinning and this makes energy companies a vital supplier to businesses, communities and individuals. Enabling heat and electricity, the sector is thereby targeted by criminals looking to cash in.

Mikko Peltonen, Head of Digital Risks & Cyber at If P&C adds; “The energy sector is also part of the critical infrastructure that underpins national security.'' For that reason, cyber-attacks against the energy sector are often perceived as attacks on the country itself.”

The number of threats has increased

The number of threats from nation-state actors has increased immensely over the previous years.

In fact, Microsoft highlights in its Digital Defense Report for 2020, that “nation-state actors are engaging in new reconnaissance techniques that increase their chances of compromising high-value targets, criminal groups targeting businesses have moved their infrastructure to the cloud to hide among legitimate services.”

Although an exact figure regarding the increase in nation-state attacks is difficult to validate, it is clear that cybercrime has exploded during the COVID-19 pandemic. In fact, in the aforementioned report, Microsoft identified 16 different nation-states, “targeting customers involved in the global COVID-19 response efforts or using the crisis in themed lures to expand their credential theft and malware delivery tactics.”

The energy sector is also targeted to get sensitive data on power grids, locations of power stations, generators, substations and transformers for the purpose of espionage, sabotage and hybrid warfare. This kind of cybercrime is often rooted in political and economic motives.

A third factor, that puts the sector into a vulnerable position, is the many emerging innovative technical solutions, that are being put into use every day. The industry is getting smarter, more digitalised, as well as increasingly connected. At the same time, there is a rise in sophistication among cyber criminals who are exploiting complex vulnerabilities in companies’ supply chain.

I am sure that we will see much more of these contemporary supply chain cyber-attacks in the future.

Mikko Peltonen, Head of Digital Risks & Cyber at If P&C

Supply chain attacks

A supply chain attack is an attack where hackers have identified a weak link, which can be open-source tools, suppliers or even service providers. This weak link becomes the hacker’s entry to the company.

A known example of a supply chain attack is NotPetya that happened in 2017 where Maersk Tankers suffered severe consequences and an extremely costly down time. The most recent example of such contemporary supply chain cyber-attack is the SolarWind attack, that was discovered by FireEye, one of the world's top cybersecurity firms, in December 2020. SolarWind has despite its company name (SolarWind meaning – flares from the sun), nothing to do with the energy sector. It is a network monitoring system used by, among many others, large energy companies to monitor traffic and uptime.

The SolarWind attack was complex and required substantial preparation from cyber criminals. The infrastructure of SolarWinds was compromised and malware was maliciously installed into a software update. So, when users of SolarWind’s software solution Orion accepted the new update, they unknowingly updated their system with the compromised software. The code created a backdoor to the users’ information technology systems, which was used to install even more malware to spy on companies and organisations.

The malicious update went undetected for months and up to 18,000 of SolarWind’s users installed updates that left them vulnerable to hackers (Business Insider, 2021).

The SolarWinds attack was not targeted against the energy sector. However, since many large energy companies are using the SolarWinds network monitoring system, it is safe to say, that their data has been on risk for espionage.

Spear-phishing attack

Another attack, where the energy sector was the ultimate target, was the phishing attack on the Ukrainian power grid.

The attack was a spear-phishing attack, which entails that hackers are sending emails to carefully selected employees in a company, and that the emails looks like they are from a trusted sender. The purpose of such attack is to either infect devices with malicious malware or to force victims to hand over money or data.

Within the Ukrainian power grid, the campaign was targeting their employees working in IT and system administration. The spear-phishing campaign delivered a malicious email to these carefully selected employees, who when clicking on the attachment, opened a backdoor to the hackers.

On December 23, 2015, one of the employees experienced that his cursor on his computer began to move around the screen on its own. It was not possible for the employee to take back the control as the attackers had already logged him out. The consequences were immense as 230,000 customers lost power. (Ukrainian Power Grid Attack - Blog | GlobalSign)

Due diligence

“Cyber threats are here to stay, and there are multiple stakeholders that can be a part of the solution to this growing problem. To maintain the production and distribution of energy and power services to businesses and communities, we must remain diligent and continue to focus on cyber and IT security as a priority,'' says Mikko Peltonen.

Article published in Risk Consulting 2/2021