The energy sector is the bedrock of modern life. This sprawling assortment of industries keeps the lights on in your home and gasoline in your car. It is so reliable that most of us spend very little mental energy thinking about it.
That said, the energy sector faces a broad array of threats, and is particularly vulnerable to cyberattacks. With an attack surface that can be particularly large with multiple facilities over a large geography, remote systems, and 3rd party vendors across an extended supply chain, this provides various entry points for threat actors.
There are a variety of motivations that would lead to the targeting of the industry. From geopolitical conflicts and political agendas, state actors have several reasons for zeroing in on the industry, including causing disruptions for financial loss, obtaining intellectual property, and cyber espionage in general.
The first known and successful cyberattack on a power grid took place in 2015, in which several energy distribution companies in Ukraine were targeted, leading to widespread power outages. Multiple authorities attributed that attack to state-sponsored actors working on behalf of Russia, and the incident further pushed to the forefront discussions about vulnerabilities in critical systems.
While such actors have been behind many of the more sophisticated attacks, state actors/APT groups do not publicize themselves nor their tactics on the underground. On the deep and dark web, discussions about the energy sector generally consist of actors selling entry ways into a network to conduct additional attacks such as ransomware operations, leaked data, and discussing vulnerabilities for SCADA/ICS systems.
On the underground, there are intrusion specialists that act as intermediaries, gaining access to networks and selling them to other threat actors. They turn a profit by opening the door to further attacks on an organization, such as ransomware.
There are numerous examples of this, such as the threat actor selling RDP access to a Germany energy company.
Figure 1: A threat actor selling RDP access to a German energy company
When a threat actor already has the tools required for an attack, but lacks the initial entry point, the deep and dark web offer opportunities to seek the middleman.
Figure 2: A threat actor soliciting for access to any Canadian oil company