2023 saw an explosion of ransomware attacks targeting the energy sector and critical infrastructure, including Blackcat ALPHV, Medisa, and Lockbit3More than a dozen well-known ransomware groups such as 0 have stepped up their attacks on the most valuable targets in the energy industry, and the threat situation facing the energy industry has deteriorated rapidly.
The major ransomware data breaches in the energy industry in 2023 are as follows:
In November 2023, the ransomware group Blackcat Alphv added Taiwan's Sinopec to the list of victims of the leak site, with a leak data size of 419gb。In November 2023, the Idaho National Laboratory (INL) in the United States was attacked by the hacker group SiegeDSEC, and the servers running the Oracle HCM system were compromised, and hundreds of thousands of personal data, including staff, were leaked. INL is a nuclear research center operated by the U.S. Department of Energy with 50 experimental nuclear reactors. On September 7, 2023, the pro-Russian "Stormous" ransomware gang announced the leak of 300GB of data from JSC (PVC-MS), a member of Vietnam Petroleum Construction Joint Stock Company (PVC), a subsidiary of Vietnam's National Petroleum Corporation (PVN). The latter was founded in 1983 and is mainly engaged in the construction, manufacturing, installation of platforms, tanks, pipelines in the oil and gas sector. August 2023, Neve Ne, Israel'Eman Nuclear Reactor Database in Dark Web Forums for $900 *** Hackers claim that the database contains all the information about ** and the full name of the professor and his residential address;10GB confidential files, including components and materials used in the experiment;Size, level and location of the reactor;Email, IP, and password used to log in (SSH SMTP server). In May 2023, hackers leaked more than 100,000 emails stolen from the Iranian Nuclear Power Production and Development Company (AEOI) on dark web forums. In March 2023, hackers leaked 1. stolen from Indonesia's National Nuclear Energy Agency (Batan) on a dark web forum4GB of data. In February 2023, the ransomware group Medusa claimed to have attacked PetroChina (an Indonesian company) and demanded a ransom of $400,000. In February 2023, Taiwanese battery manufacturer Phihong was hit by Lockbit30 attacks, data leakage and extortion. In February 2023, Acea, an Italian company that provides electricity and water services to the city of Rome, was attacked by the Black Basta ransomware group, which paralyzed the ** service. Six trends in ransomware attacks in the energy industry in 2023
According to Resecurity's latest 2022-2023 Energy Industry Ransomware Attack Report, ransomware attacks in the energy industry in 2023 will show the following six trends:
There has been a significant increase in ransomware attacks targeting the energy industry. Malicious activity targeting the energy industry has been detected in North America, Asia, and the European Union (EU). The reason cybercriminals are targeting this area is that the data assets involved are of a higher value and can be demanded for more ransom. These attacks also surface the fact that data assets of critical infrastructure are more valuable to ransomware organizations than data assets in other sectors of the economy.
Adopt new attack tactics to increase encryption speed and evade detection. New attack tactics deployed by ransomware attackers in the "big hunt" against energy businesses and institutions include intermittent encryption, the use of more modern, specialized programming languages, and double ransomware attacks involving multiple variants. According to the U.S. Department of Homeland Security, these emerging technology tactics allow attackers to "encrypt systems faster and reduce the chance of detection."
Ecological collaboration for ransomware attacks in the energy industry. Ransomware attacks in the energy industry are not isolated by a single organization, but are supported by a thriving ecosystem of attacks that include initial access brokers (IABs) and tool developers, and the horizontal collaboration of these cybercriminal groups shows that the energy industry has become a gold mine of valuable data in the eyes of attackers.
Initial access brokers actively seek out credentials and identity data for the energy industry. Resecurity has identified several Initial Access Brokers (IABs) operating on the dark web that are actively looking for credentials and other unauthorized methods of intrusion in the energy industry. Some of these IABs even peddle unauthorized access from nuclear energy companies. In addition, Resecurity also found a large number of posts on major cybercrime forums, including RAMP (Anonymous Russian Marketplace), where attackers have profited and continue to profit from the purchase of illegal network access to the energy industry.
The ransom amount is skyrocketing. The ransom amount for ransomware attacks targeting energy companies continues to grow, reaching as high as $7 million. Another key factor for ransomware groups to demand huge ransoms from victim organizations is the potential for devastating damage to industrial processes in the victim's environment.
Nuclear energy facilities and institutions are popular targets. Nuclear groups are high-priority targets for ransomware groups and APT groups engaged in cyber espionage. Because a ransomware attack on a nuclear facility can have a significant impact on geopolitical relations, capital markets, public safety, and the world.
Outlook for 2024
In 2024, an increasing number of ransomware organizations are expected to prioritize the energy industry's top value targets, especially the nuclear energy industry and the downstream and upstream businesses of oil and gas companies. As the digitalization of the energy industry continues to evolve, the convergence of IT and OT accelerates, and the attack surface continues to expand, diversifying assets and data, providing more opportunities for attackers to exploit.
In addition, since energy is a critical infrastructure industry, the high likelihood of paying a hefty ransom further increases the appeal to ransomware groups. As a result, 2024 is a year for the energy industry to be the test of ransomware attacks, and energy companies must strengthen their cyber defenses to prepare for the most devastating and sophisticated attacks that are coming.