Ddos 
As geopolitical tensions escalate worldwide, the energy sector has become a primary battlefield in cyberspace. A new report by Resecurity’s HUNTER threat intelligence unit reveals an alarming surge in cyberattacks targeting energy operators across nuclear, renewable, and traditional fossil fuel domains. The attacks span ransomware, nation-state espionage, hacktivism, and access broker activity—amplifying the risk to both IT and increasingly exposed OT (Operational Technology) environments.
“Military hostility is projected into cyberspace… and ancillary cybercriminal ecosystems support the malicious targeting of energy firms,” the report warns.
Ransomware continues to dominate the threat landscape. According to TrustWave, ransomware attacks against energy and utilities surged by 80% in 2024, with adversaries exploiting IT environments as launching pads for potential OT disruptions.
- Halliburton, one of the world’s largest oilfield service providers, lost $35 million due to a RansomHub breach in August 2024.
- Ikav Energy, a renewable energy investment firm, was breached by DragonForce, with 177 GB of sensitive data exposed.
- NUCLEP, a Brazilian state-owned nuclear company, was targeted by a Babuk ransomware spin-off demanding $1.5 million in exchange for exclusive data access.
“Cybercriminals aim to profit from sensitive R&D; that’s why they set an extremely high price amplified by speculative narratives,” Resecurity noted.
Nation-state actors are turning their focus toward strategic energy infrastructure:
- Lazarus Group (North Korea) infected employees at a nuclear organization using “Operation DreamJob,” leveraging malware disguised as skill assessment tests.
- CyberAv3ngers (Iran) targeted Israeli-made programmable logic controllers (PLCs) across global energy and water networks.
- Midnight Blizzard (Russia) conducted OAuth-based intrusions via Microsoft 365 to gain covert access to sensitive communications in the energy industry.
“All critical digital assets manufactured by Israel have been deemed legitimate military targets,” stated Resecurity, emphasizing how geopolitical motives shape cyber targeting.
Groups like S16, Z-Pentest, and Noname057(16) have escalated their hacktivist activity, claiming unverified disruptions to oil pumps, SCADA systems, and cooling systems at nuclear and hydroelectric plants in Texas, France, Germany, and Belgium.
In one claim, S16 stated: “The system was hacked and completely broken, oil production was stopped, the system was completely destroyed.”
While many of these assertions remain unconfirmed, the frequency and scale of claims are unsettling. Analysts caution that hacktivism, even if overhyped, signals increasing interest in cyber-physical disruption.
The HellCat ransomware group gained access to Schneider Electric’s internal Jira systems by infecting an employee with the Lumma infostealer. The breach compromised over 400,000 rows of sensitive data, demonstrating how credential theft through infostealers can become the foothold for ransomware attacks on industrial giants.
“Defenders should be especially aware of HellCat’s reliance on infostealer attack chains, with an emphasis on Lumma malware,” the report advises.
Resecurity’s findings reinforce that supply chain compromise is the energy sector’s most pressing vulnerability:
- The MOVEit breach by Cl0P impacted downstream partners like CLEAResult and dozens of utility companies including Entergy, Nevada Energy, and Appalachian Power.
- According to SecurityScorecard and KPMG, 45% of breaches in the energy sector originate from third-party software and IT vendors, with 90% of multi-breach victims hit via the same route.
“This highlights the magnitude of cyber supply-chain risk that energy operators must manage today,” Resecurity emphasized.
Despite strict isolation protocols, nuclear infrastructure remains under intense cyber scrutiny:
- Data leaks and access listings for EPRI, ENEC, GE, and the Malaysian Nuclear Agency were discovered on underground forums.
- Framatome, Doel, and Tihange nuclear facilities were allegedly DDoSed by Noname057(16), though Resecurity confirmed no operational disruptions due to their air-gapped networks.
“The specific attack vector that nuclear energy operators must be on high alert for is malicious portable media introduced into the plant environment by a rogue employee or contractor,” said Mark Rorabaugh, President of InfraShield.
As Resecurity warns, “the potential for a catastrophic cyber-physical attack that causes environmental or human harm is rapidly increasing.” Energy-sector defenders must treat this surge in cyber activity as not only a technical risk, but a geopolitical one—requiring vigilance, cooperation, and fortified security architecture from the ground up.
Related Posts:
- Resecurity: Nuclear energy, oil and gas are top targets for ransomware groups in 2024
- Kaspersky Report: Energy Industry becomes the largest area affected by vulnerabilities in industrial automation systems
- Russian nuclear weapons scientists arrested for using supercomputer to mine Bitcoins
- Misinformation Campaigns Surge in the Philippines Amidst Geopolitical Tensions
- ServiceNow Exploits Used in Global Reconnaissance Campaign
About The Author
