If you were to Google “cyber attacks on critical infrastructure,” you would get over 27 million results in less than one minute. From examples to stats to proposed solutions, the bottom line is critical infrastructure— and energy companies specifically– are under fire.
Hackers and state-sponsored cybercriminals are unleashing a new form of warfare against critical infrastructure, and we’ve especially seen an uprising since the start of the Ukraine war. These attacks pose a potentially deadly threat to societies worldwide as hackers target critical systems like power grids and water supplies.
A June 2022 Trend Micro report found that 89% of companies across the electricity, manufacturing, and oil and gas industries suffered cyberattacks that affected their production and supply in the previous 12 months.
Meanwhile, a 2022 Energy Security Sentinel report found that of the 45 cybersecurity incidents targeting energy and commodities infrastructure since 2017, 13 had occurred in the previous 12 months.
A significant threat facing the energy industry is third-party risks, whereby attackers target an organization's vendor ecosystem. Utilities are rightly focused on first-party threats, which directly target their employees, OT, and IT systems. But don’t overlook third-party risks or fail to implement the appropriate controls to protect against threats from your partners and vendors. As strong as your internal security practices are, your third-party supply chain is only as strong as your weakest link.
5 Energy Data Breach Examples
Carl Sagan once said, “You have to know the past to understand the present”-- words of wisdom in risk management. To understand the risk energy companies face and how they’re susceptible, it’s important to assess how recent and noteworthy attacks occurred. As such, here are five of the most notable cyberattacks against the energy industry.
You have to know the past to understand the present. - Carl Sagan
From 2019 to 2020, a cyberattack targeted the software supply chain of IT infrastructure management company SolarWinds' Orion platform. The incident, linked to Russian nation-state hackers, initially began with attackers targeting the company's supply chain, which enabled them to install malware on SolarWinds customers' networks.
The hackers modified a plugin on the Orion platform, which contained a backdoor that allowed them to take control of third-party servers, steal data, and deploy malicious code. It affected several US federal government agencies, including the Departments of Justice, Homeland Security, and Treasury, along with over 18,000 customers. Quick hotfixes and global Microsoft security patches eventually remedied the attacks.
In March 2023, hackers attacked the supply chain of software company 3CX, which has around 600,000 global customers and 12 million active daily users. The attack also compromised two energy firms and two financial traders, enabled by a previous compromise of trading software, which an employee downloaded.
The malware deployed a multi-stage backdoor that executed shellcode, injected a communication module across Chrome, Edge, and Firefox browsers, and then terminated. The backdoor enabled attackers to steal corporate login credentials from the employee's device and then move laterally through 3CX's network to breach their Mac and Windows build environments. The malware also loaded automatically upon device startup, which gave attackers remote access to all compromised connected devices.
In May 2021, a ransomware attack targeted the Georgia-based Colonial Pipeline, the largest fuel pipeline in the US, delivering nearly half of the transport fuel to the East Coast. The attack saw the hacking group DarkSite gain access to and encrypt corporate data, then threaten to leak it online unless Colonial agreed to their ransom demand.
The pipeline and its IT and OT systems were pre-emptively shut down for several days, which caused a potential international supply crisis. A $5 million settlement fee was eventually paid to restore the data, ending the most significant attack against critical infrastructure.
Copel and Eletrobras
In February 2021, state-owned Brazilian utility companies Centrais Eletricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel) became the victims of ransomware attacks from DarkSide, the same company behind the Colonial Pipeline attack.
The attack on Copel forced some operations and services offline, and 1,000 GB of sensitive data was stolen and leaked online. The Eletrobras attack affected its subsidiary, Eletronuclear, which runs two nuclear power plants. The company had to suspend some operations to protect its data, but its OT systems, which run the nuclear power plants, were isolated and unaffected.
In 2017, a rogue code known as Triton was first discovered targeting a petrochemical plant in Saudi Arabia. Triton enables hackers to control a plant’s control systems remotely, detecting dangerous conditions and closing down affected systems. If attackers had been able to disable or tamper with the system, it could have been catastrophic. However, a flaw in the code ensured hackers were caught before they could cause any harm. The hackers behind the code are now using it to target companies in North America and worldwide.
The attackers are believed to have been inside the Saudi Arabian petrochemical company's IT network since 2014. They entered the network through a spear phishing attack that gave them access to a poorly configured firewall and an engineering workstation.
How Data Breaches Occur in the Energy Industry
Hackers are deploying sophisticated methods to target organizations in the energy industry, their users, and their high-value data. Cybercriminals are increasingly using third-party attacks to infiltrate their intended targets. CRA Business Intelligence research in January 2023 found that 57% of companies had suffered a cyberattack or data breach related to a third-party partner in the previous two years.
With third-party attacks, hackers target external partners, providers, and vendors with access to the company's data and systems. This attack, such as the SolarWinds incident discussed above, carries greater risk as more enterprises rely on outside providers and new, more sophisticated attack vectors emerge.
Cybercriminals also still use recurring methods to successfully discover and expose vulnerabilities and compromise devices, networks, and systems. These include:
- Phishing: Phishing remains one of the most successful attack methods hackers use to target energy companies and their employees. Despite repeated warnings, users still fall for hackers masquerading as reputable or known contacts by email, instant message, or text message.
- Ransomware: IBM research finds that ransomware attacks increased by 41% in 2022, while identification and remediation took 49 days longer than average breaches.
- Insider Attacks: Insider threats have risen 44% over the past two years, according to Ponemon research. The research also shows that companies still struggle to close down these threats quickly enough, with incidents taking 85 days to discover. Energy organizations face a dual problem with insider threats. Users with network access can exfiltrate sensitive information, while data loss could affect critical operations.
- Zero-Day Exploits: Zero-day vulnerabilities are a significant threat to energy companies. Hackers are constantly devising new methods to discover and exploit vulnerabilities and deploy malware before companies even realize the issue exists, let alone create a patch to fix it.
How Energy Companies Can Limit Their Cyber Risk
Service without disruption and protection of customer data is the ultimate goal. Threats against critical infrastructure have financial and customer trust implications and put public safety and lives at risk. Energy companies can address these risks with a cybersecurity strategy that combines enhanced access control, deeper third-party insight, and improved security hygiene.
Preventing third-party breaches also relies on a risk management team’s ability to evaluate and quantify their third-party risks quickly. However, CyberGRX research finds that around half of companies believe their vendor due diligence is ineffective. Additionally, 20% of vendors are high-risk, yet identifying which poses the most significant threats can be challenging. Businesses need a better approach to assessing and managing their vendor ecosystems.
How CyberGRX Helps
As cyberattacks increase in sophistication and volume, companies across the energy industry need to strengthen their defenses to reduce the impact of potential incidents. And this is where CyberGRX can help.
To help organizations improve the visibility of third-party risks, Portfolio Risk Findings provides a portfolio-wide view against your preferred framework to understand which third parties have unmet control and which vendors are the riskiest. To drill into a specific third party, Framework Mapper gives you a more granular view, using either assessment or predictive data. Additionally, Threat Profiles enable you to view unmet controls commonly exploited in cyber attacks to help you proactively mitigate your risks.
Better managing your risks starts with visibility into your third-party network. Want to see what dangers are lurking in your vendor ecosystem? Schedule time with our team now.