Cyber Risk in the Energy Sector
Understand more about cyber risk in this sector.
Cyber Risk Graph
Explore how this sector relates to the wider risk graph
Threat Reports
Publicly available threat reporting on cyber attacks against Energy.
Cloaked and Covert: Uncovering UNC3886 Espionage Operations
This article by researchers from Google's Mandiant outlines intrusion activity by UNC3886, a suspected China-nexus cyber espionage group. The ...
APT45: North Korea’s Digital Military Machine
This report from threat intelligence analysts at Google's Mandiant marks the graduation of this cyber actor to a fully designated APT - APT45. The ...
Onyx Sleet uses array of malware to gather intelligence for North Korea
Following an indictment by the US Department of Justice linked to the intrusion set Microsoft track as Onyx Sleet, this report includes details of ...
UAC-0133 (Sandworm) plans for cyber sabotage at almost 20 critical infrastructure facilities in Ukraine
This medium post translates a UA-CERT alert and adds additional technical analysis of the QUEUESEED/KAPEKA backdoor which has been used against ...
APT44: Unearthing Sandworm
This report from researchers at Mandiant marks the graduation of the Sandworm intrusion set to the Mandiant APT label: APT44. It provides a ...
Dragonfly: Cyberespionage Attacks Against Energy Suppliers
This report by Symantec details activities of the cyberespionage group known as Dragonfly. The reporting covers a campaign which initially focused ...
Unveiling TeleBoyi: Chinese APT Group Targeting Critical Infrastructure Worldwide
This presentation from TeamT5 describes the intrusion set they refer to as TeleBoyi and was presented at JPCERT's JSAC2024 conference on January ...
Threat Assessment: EKANS Ransomware
This threat assessment from researchers at Palo Alto's Unit 42 covers the EKANS ransomware. According to the report, EKANS was first observed in ...
EKANS Ransomware and ICS Operations
This blog post by researchers at Dragos talks about the EKANS ransomware variant. EKANS targets industrial control system (ICS) operations, and ...
GhostSec’s joint ransomware operation and evolution of their arsenal
This Threat Spotlight from Cisco Talos describes the evolution of GhostSec's ransomware operations including their work with the Stormous ...
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
SVR cyber actors adapt tactics for initial cloud access
This advisory from the UK's National Cyber Security Centre (NCSC) outlines tactics, techniques and procedures (TTPs) used by the cyber actors ...
TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
This blog post by FireEye intelligence outlines how they attributed TEMP.Veles to a Russian government sponsored research institute - CNIIHM. ...
VOLTZITE Espionage Operations Targeting U.S. Critical Systems
This report details activity related to the VOLTZITE intrusion set as observed by Dragos. The report identifies sectors and geographies targeted ...
Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets
This report from Microsoft Threat Intelligence describes a subset of activity related to the Mint Sandstorm actor. The campaign includes the theft ...
Project CAMERASHY
This report by ThreatConnect and Defense Group Inc outlines activities by the Naikon APT (advanced persistent threat) group and attributes them to ...
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
APT1: Exposing One of China's Cyber Espionage Units
The APT1 report represents years of work by Mandiant, who analysed data across hundreds of breaches globally. The report identifies APT1 as a ...
MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use against Energy.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1014 | Rootkit | Defense Evasion |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1003 | OS Credential Dumping | Credential Access |
| T1071 | Application Layer Protocol | Command and Control |
| T1080 | Taint Shared Content | Lateral Movement |
| T1119 | Automated Collection | Collection |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1204 | User Execution | Execution |
| T1486 | Data Encrypted for Impact | Impact |
| T1057 | Process Discovery | Discovery |
| T1083 | File and Directory Discovery | Discovery |
| T1005 | Data from Local System | Collection |
| T1036 | Masquerading | Defense Evasion |
| T1569.002 | Service Execution | Execution |
| T1560 | Archive Collected Data | Collection |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1010 | Application Window Discovery | Discovery |
| T1059 | Command and Scripting Interpreter | Execution |
| T1090.001 | Internal Proxy | Command and Control |
| T1564.001 | Hidden Files and Directories | Defense Evasion |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1106 | Native API | Execution |
| T1202 | Indirect Command Execution | Defense Evasion |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1021 | Remote Services | Lateral Movement |
| T1074 | Data Staged | Collection |
| T1561 | Disk Wipe | Impact |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1129 | Shared Modules | Execution |
| T1485 | Data Destruction | Impact |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1489 | Service Stop | Impact |
| T1082 | System Information Discovery | Discovery |
| T1112 | Modify Registry | Defense Evasion |
| T1218.010 | Regsvr32 | Defense Evasion |
| T1573 | Encrypted Channel | Command and Control |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1136 | Create Account | Persistence |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1047 | Windows Management Instrumentation | Execution |
| T1219 | Remote Access Software | Command and Control |
| T1622 | Debugger Evasion | Defense Evasion, Discovery |
| T1555 | Credentials from Password Stores | Credential Access |
| T1560.001 | Archive via Utility | Collection |
| T1562.009 | Safe Mode Boot | Defense Evasion |
| T1484.001 | Group Policy Modification | Defense Evasion, Privilege Escalation |
| T1059.001 | PowerShell | Execution |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1490 | Inhibit System Recovery | Impact |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1016 | System Network Configuration Discovery | Discovery |
| T1087.002 | Domain Account | Discovery |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1070.004 | File Deletion | Defense Evasion |
| T1090.002 | External Proxy | Command and Control |
| T1098.005 | Device Registration | Persistence, Privilege Escalation |
| T1110 | Brute Force | Credential Access |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1528 | Steal Application Access Token | Credential Access |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1592 | Gather Victim Host Information | Reconnaissance |
| T1090.003 | Multi-hop Proxy | Command and Control |
| T1090 | Proxy | Command and Control |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1113 | Screen Capture | Collection |
| T1550 | Use Alternate Authentication Material | Defense Evasion, Lateral Movement |
| T1021.007 | Cloud Services | Lateral Movement |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1124 | System Time Discovery | Discovery |
| T1007 | System Service Discovery | Discovery |
| T1033 | System Owner/User Discovery | Discovery |
| T1016.001 | Internet Connection Discovery | Discovery |
| T1614 | System Location Discovery | Discovery |
| T1518 | Software Discovery | Discovery |
| T1012 | Query Registry | Discovery |
| T1069 | Permission Groups Discovery | Discovery |
| T1120 | Peripheral Device Discovery | Discovery |
| T1046 | Network Service Discovery | Discovery |
| T1654 | Log Enumeration | Discovery |
| T1217 | Browser Information Discovery | Discovery |
| T1087.001 | Local Account | Discovery |
| T1552.004 | Private Keys | Credential Access |
| T1552 | Unsecured Credentials | Credential Access |
| T1003.003 | NTDS | Credential Access |
| T1003.001 | LSASS Memory | Credential Access |
| T1555.003 | Credentials from Web Browsers | Credential Access |
| T1110.002 | Password Cracking | Credential Access |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1027.002 | Software Packing | Defense Evasion |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1070.009 | Clear Persistence | Defense Evasion |
| T1006 | Direct Volume Access | Defense Evasion |
| T1059.004 | Unix Shell | Execution |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1588.005 | Exploits | Resource Development |
| T1587.004 | Exploits | Resource Development |
| T1584.004 | Server | Resource Development |
| T1584.005 | Botnet | Resource Development |
| T1583.003 | Virtual Private Server | Resource Development |
| T1594 | Search Victim-Owned Websites | Reconnaissance |
| T1593 | Search Open Websites/Domains | Reconnaissance |
| T1591 | Gather Victim Org Information | Reconnaissance |
| T1590 | Gather Victim Network Information | Reconnaissance |
| T1589.002 | Email Addresses | Reconnaissance |
| T1589 | Gather Victim Identity Information | Reconnaissance |