The many aspects of the cyber threat to the energy sector

07 Apr 2025

Threat Discovery is an editorial space of Telsy and TS-WAY dedicated to in-depth analysis in cyber threat intelligence at the global level.

The information reported is the outcome of the collection and analysis work carried out by TS-WAY specialists for the TS-Intelligence platform.

State-sponsored campaigns

Littleton Electric Light and Water Departments (LELWD), a small public utility in Massachusetts, was compromised by the Chinese APT Volt Typhoon. The intrusion, which began in February 2023 and lasted nearly a year, was aimed at gathering information on the power and water provider’s OT (Operational Technology) division, with the alleged goal of destructive action in the event of conflict.

The activity would be part of a broader strategy Beijing planned to position itself within the critical infrastructure of the United States and gain strategic and operational advantages in the event of future crises. The operation the APT itself conducted against strategic infrastructure on the island of Guam in Micronesia, which hosts U.S. air and naval bases, was also read in this light.

Federal authorities in Belgium have launched an investigation into an alleged Chinese espionage operation, dating back to 2021-2023, that allegedly impacted the systems of the Belgian Pipeline Organization, a military body that oversees North Sea oil pipelines, and the Intelligence and Security Agency VSSE. The breach would be traceable to the campaign based on Barracuda’s 0-day CVE-2023-2868 Email Security Gateway Appliance, discovered just in 2023 and associated with the Chinese adversary UNC4841.

The Double-Tap campaign, associated with Russian APT Sofacy, first tracked in July 2024 by Ukrainian CERT and still active in November, aimed to gather information on Kazakhstan’s international relations. As a vector, the cyberattack exploited spear phishing emails containing legitimate Office documents, allegedly from the Ministry of Foreign Affairs of the Republic of Kazakhstan.

Russia’s interest in preserving its influence over this region is being urged by Astana’s attempts to carve out a role for itself in Central Asia and in relations with Europe and the U.S. based on at least two main instances. On the one hand, the country is well positioned on the Trans-Caspian International Transport Route (TITR), also known as the “Middle Corridor,” a network of roads, railways, sea and river routes connecting China with mainland and Mediterranean Europe, bypassing Ukraine.

On the other hand, Kazakhstan-which is one of the world’s largest producers of uranium-is emerging as a major player in the energy sector, with plans for a civilian nuclear power plant to be built near Ulken, in the Almaty region, on the western shore of Lake Balkhash. The construction of the plant, approved last Oct. 6 by a referendum, has been awarded to the companies China National Nuclear Corporation (CNNC), Korea Hydro & Nuclear Power (KHNP), Rosatom (Russia) and Électricité de France (EDF).

Hacktivist operations

Lab Dookhtegan, an internal opposition hacktivist group within the Tehran government, claimed an attack against the National Iranian Tanker Company and Islamic Republic of Iran Shipping Lines. The group, which has been active for six years and is responsible for Hack-and-Leak campaigns against Iranian intelligence and its APTs, intended to protest alleged violations of sanctions on oil trade. According to the hacktivists, in fact, the two companies allegedly facilitated the sale of Iranian crude oil to China.

The attack, which took place in conjunction with the U.S.-led kinetic operations in the Red Sea against the Yemeni Houthis, allegedly caused the disruption of communications of 116 ships belonging to the two companies and would constitute one of the largest offensives ever carried out against Iran’s maritime sector.

Ransomware attacks

Lynx Team claimed the compromise of Electrica Group – Societatea Energetica Electrica S.A., one of Romania’s largest energy suppliers. The attack took place in November 2024 and, according to information provided by the energy minister, Sebastian Burduja, would have had no impact on the SCADA (Supervisory Control and Data Acquisition) systems of the OT division. Its attribution was made almost immediately by the Romanian National Directorate for Cyber Security (DNSC), but the claim would not appear on the adversary’s leak site until February 2025. This year, Lynx Team has claimed breaches against other entities in this sector, such as Lexington Electric (US) and Palomino Petroleum (US).

Overall, reports of ransomware attacks against energy and Oil&Gas targets published by adversaries between 2022 and 2024 exceed 260.

LockBit Team pointed to nearly 60, against entities such as Petrotec Qatar and the German federally owned Deutsche Energie-Agentur GmbH. The latter, compromised by the Russian ransomware group in late 2023, also appeared in the same days among the victims of ALPHV Team, which reported about 30 in total, including Canadian Trans-Northern Pipelines.

Attacks

A modified version of AsyncRAT was distributed by an adversary of alleged Libyan origin against about 900 targets located in Egypt, Libya, the United Arab Emirates, Saudi Arabia, and Turkey. The attacker exploited social platforms such as Facebook to spread fake ads containing a malicious link. Among the infected machines were reportedly those of some employees of oil companies.

A MintsLoader-based malware campaign distributed the StealC infostealer and the BOINC open-source network computing platform client. StealC is a Malware-as-a-Service – marketed since at least 2023 in underground Russian-speaking forums – that targets sensitive data stored by web browsers, extensions, applications, cryptocurrency wallets and email clients, including financial information, passwords and tokens. BOINC is legitimate and was developed by California’s Berkleley University. Victims include organizations from the electric power, Oil&Gas, law firms and legal services sectors in Europe and the US.

Telsy and TS-WAY

TS-WAY is a company that develops technologies and services for medium and large-sized organizations, with a unique in Italy for cyber threat intelligence expertise. Founded in 2010, TS-WAY has been part of Telsy since 2023.

Is configured as an extension of the client organization, supporting the in-house team for intelligence and investigation activities, cyber incident response, and systems security verification activities.

TS-WAY’s experience is internationally recognized and is corroborated by large private organizations in finance, insurance, defense, energy, telecommunications, transportation, and technology, and by government and military organizations that have used the services of this Italian company over time.

TS-WAY’s Services and Solutions

With several vertical teams of security analysts and researchers with technical and investigative expertise and internationally recognized experience, TS-WAY provides all the assistance needed to align an organization’s security program with its risk management objectives.

Its services offer a preventive and comprehensive approach to security to protect clients’ assets and business continuity.

Its technology solutions transform global threat data into strategic, tactical, operational, and technical intelligence.

TS-Intelligence

TS-Intelligence is a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.

It is presented as a Web-usable, full-API platform that can be operated within an organization’s defensive systems and infrastructure, to strengthen protection against complex cyber threats.

Constant research and analysis on threat actors and emerging networked threats, both in APT and cybercrime, produces a continuous information flow of an exclusive nature that is made available to organizations in real-time and processed into technical, strategic, and executive reports.

Learn more about TS-WAY’s services.