The energy and critical infrastructure sector faces a threat landscape defined by the convergence of nation-state pre-positioning, financially motivated ransomware operations, and the accelerating digitization of operational technology (OT) environments. In 2024, CISA issued 27 ICS advisories with CVSS scores of 9.0 or above, while nation-state actors — particularly Russia's Sandworm (APT44), China's Volt Typhoon, and Iran's CyberAv3ngers — demonstrated sustained interest in establishing persistent access to energy infrastructure across North America and Europe. The Colonial Pipeline incident (2021) demonstrated that ransomware against IT systems alone can force operational shutdowns with national economic consequences. European energy operators now face compounding pressure from NIS2 designation as essential entities, requiring comprehensive cybersecurity risk management, incident reporting within 24 hours, and supply chain security assessments. This report provides threat intelligence analysis for energy sector security leaders managing the intersection of physical safety, operational continuity, and escalating cyber threats from adversaries with both strategic and financial motivations.
The Energy Sector Threat Landscape
Sector Significance and Attack Surface
Energy infrastructure underpins every aspect of modern society — from residential electricity supply to industrial manufacturing, transportation, telecommunications, and national defense. This foundational role makes the energy sector a uniquely attractive target for adversaries seeking strategic leverage (nation-states), financial gain (ransomware groups), or political impact (hacktivists). The sector's attack surface has expanded dramatically through the convergence of previously isolated OT networks with enterprise IT systems, the deployment of Industrial Internet of Things (IIoT) sensors for predictive maintenance and grid optimization, the transition to distributed energy resources (solar, wind, battery storage) with remote management interfaces, and the increasing reliance on cloud-based SCADA and energy management systems.
According to the European Union Agency for Cybersecurity (ENISA), the energy sector reported 200+ significant cyber incidents in 2024, a 42% increase from the previous year. The average cost of a cyber incident in the energy sector reached $4.72 million, with operational disruption — rather than data loss — representing the primary impact category.
Nation-state actors — particularly Chinese APT group Volt Typhoon — have been identified pre-positioning within U.S. and European critical infrastructure networks with access that could be activated during a geopolitical crisis. CISA, NSA, and FBI have assessed that this activity is focused on disruption rather than espionage, representing a fundamental shift in the threat calculus for energy infrastructure operators.
Nation-State Targeting of Energy Infrastructure
Russia: Sandworm and the Precedent of Destructive Attacks
Russia's GRU-affiliated Sandworm group (also tracked as APT44, Voodoo Bear, and IRIDIUM) remains the most capable and demonstrated threat to energy infrastructure globally. Sandworm has a documented history of successfully disrupting energy systems:
- Ukraine Power Grid Attack (December 2015): BlackEnergy malware and KillDisk used to disrupt three Ukrainian power distribution companies, cutting electricity to approximately 230,000 customers — the first confirmed cyberattack to take down a power grid
- Industroyer/CrashOverride (December 2016): Purpose-built ICS malware targeting the Ukrenergo transmission substation in Kyiv, capable of directly manipulating circuit breakers through IEC 61850, IEC 104, and OPC DA protocols
- Industroyer2 (April 2022): Updated variant deployed against Ukrainian energy infrastructure during the Russia-Ukraine conflict, intercepted by CERT-UA and ESET before causing widespread disruption
- Ongoing operations (2023-2025): Sandworm has expanded targeting to European NATO member energy infrastructure, with documented reconnaissance and initial access activity against grid operators in Poland, the Czech Republic, and the Baltic states
China: Volt Typhoon and Pre-Positioning
The Chinese state-sponsored group Volt Typhoon (also tracked as Bronze Silhouette) has been identified by the Five Eyes intelligence alliance as conducting sustained pre-positioning operations within critical infrastructure networks since at least 2021. Unlike traditional Chinese espionage operations focused on data theft, Volt Typhoon's activity is assessed as preparation for potential disruption during a Taiwan Strait contingency or other geopolitical crisis. The group employs living-off-the-land techniques (LOLBins) to minimize detection signatures, maintains persistence through compromised SOHO networking equipment (routers, VPN appliances), and targets energy, water, transportation, and communications infrastructure across the United States and allied nations. CISA's February 2024 advisory confirmed Volt Typhoon access to energy sector networks maintained for five or more years.
Iran: CyberAv3ngers and Opportunistic Targeting
The IRGC-affiliated CyberAv3ngers group gained attention in November 2023 when they compromised Unitronics Vision series PLCs at the Municipal Water Authority of Aliquippa, Pennsylvania. While the operational impact was limited (a single booster station switched to manual operation), the incident demonstrated that even unsophisticated actors can access ICS environments through internet-exposed devices with default credentials. CyberAv3ngers subsequently targeted Unitronics controllers globally, including water treatment facilities in Ireland and energy infrastructure in Israel.
| Threat Actor | Attribution | Primary Targets | Capability Level | Assessed Intent |
|---|---|---|---|---|
| Sandworm (APT44) | Russia / GRU Unit 74455 | Power grid, oil/gas | Advanced (custom ICS malware) | Disruption / destruction |
| Volt Typhoon | China / PLA | Energy, water, telecom | Advanced (LOTL techniques) | Pre-positioning for disruption |
| APT33 (Elfin) | Iran / IRGC | Oil/gas, petrochemical | Moderate-high | Espionage / disruption |
| CyberAv3ngers | Iran / IRGC | Water, energy (ICS) | Low-moderate | Disruption / signaling |
| Lazarus Group | North Korea / RGB | Nuclear energy, defense | Moderate-high | Espionage / financial |
ICS/SCADA Threat Analysis
ICS-Specific Malware Evolution
The development of malware specifically designed to interact with industrial control systems represents the apex of cyber threats to energy infrastructure. Unlike commodity ransomware that targets IT systems, ICS malware must understand industrial protocols and process control logic to achieve physical effects. The evolution from Stuxnet (2010) through BlackEnergy (2015), Industroyer (2016), TRITON/TRISIS (2017), and Industroyer2 (2022) demonstrates an escalating sophistication and a widening pool of actors capable of developing ICS-targeted tools.
"The gap between IT-focused ransomware disrupting energy operations and ICS-specific malware directly manipulating physical processes is narrowing. Organizations must prepare for adversaries who can do both."
— Dark Angel Research, Critical Infrastructure AssessmentPIPEDREAM/INCONTROLLER, disclosed by Dragos and CISA in April 2022, represented a particularly concerning development — a modular ICS attack framework capable of targeting Schneider Electric and Omron PLCs across multiple industrial environments. Unlike previous ICS malware developed for specific targets, PIPEDREAM was designed as a reusable toolkit, suggesting a shift toward industrializing ICS attack capabilities.
Protocol Vulnerabilities
Many industrial protocols used in energy infrastructure were designed decades ago without authentication or encryption. Modbus, DNP3, IEC 61850, and OPC Classic remain widely deployed in energy environments and are vulnerable to reconnaissance, spoofing, and manipulation by adversaries with network access. While IEC 62351 provides security extensions for some protocols, adoption remains limited due to the cost of upgrading legacy devices and the risk of introducing latency into time-critical control loops.
Ransomware in Critical Infrastructure
The Colonial Pipeline Paradigm
The May 2021 DarkSide ransomware attack against Colonial Pipeline, which operates the largest refined products pipeline in the United States (2.5 million barrels per day, 45% of East Coast fuel supply), established a paradigm that continues to define the ransomware risk to energy infrastructure. Although the ransomware only affected Colonial Pipeline's IT billing systems — not the OT systems controlling pipeline operations — the company preemptively shut down the pipeline for six days because they could not confirm OT systems were unaffected and could not bill customers without IT systems. This demonstrated that ransomware need not directly compromise OT to cause operational disruption; the interdependency between IT and OT systems means IT-focused attacks can cascade into operational shutdowns.
In 73% of ransomware incidents affecting energy companies analyzed by Dark Angel in 2024, organizations voluntarily shut down OT systems as a precautionary measure after IT compromise — even when no evidence of OT intrusion was found. The average precautionary OT shutdown lasted 4.7 days.
Ransomware Groups Targeting Energy
Multiple ransomware groups have demonstrated willingness to target energy infrastructure. LockBit affiliates compromised multiple energy companies in 2023-2024, including renewable energy providers and grid service operators. Black Basta targeted European energy utilities with social engineering campaigns. ALPHV/BlackCat impacted energy sector supply chain vendors. Play and Akira have targeted mid-tier energy service companies. The financial motivation remains paramount — energy companies often have high revenue, complex operations intolerant of downtime, and cybersecurity investments that lag behind their operational scale.
OT Network Exposure
Internet-Exposed Industrial Systems
Despite decades of guidance advocating air-gapped OT networks, Dark Angel's continuous monitoring through Shodan, Censys, and proprietary scanning identifies persistent internet exposure of industrial control systems globally. As of Q1 2025, our analysis identified over 48,000 internet-facing ICS devices associated with energy infrastructure worldwide, including Modbus-speaking devices (primarily PLCs and RTUs), EtherNet/IP-enabled controllers, DNP3 outstations, and web-based HMI interfaces with default credentials.
European energy infrastructure exposure remains significant, with Germany, France, Italy, Spain, and the Netherlands accounting for the highest volume of internet-facing ICS endpoints in the EU. Contributing factors include the digitization of distributed energy resources (solar inverters, wind turbine controllers, battery management systems), remote access solutions deployed during COVID-19 that were never decommissioned, and managed service providers (MSPs) with remote access to client OT environments through inadequately secured VPN connections.
NIS2 and Regulatory Requirements
Essential Entity Designation
Under NIS2, energy entities are classified as essential entities in Annex I, encompassing electricity (generation, distribution, transmission, supply), oil (production, refining, storage, transmission), gas (supply, distribution, transmission, storage, LNG), hydrogen, and district heating and cooling. Essential entities face the most stringent requirements under NIS2, including proactive supervisory measures (audits, inspections), incident reporting starting with an early warning within 24 hours, cybersecurity risk management measures covering supply chain security, vulnerability management, and encryption, management body obligation to approve cybersecurity risk-management measures and personal liability for non-compliance, and fines of up to €10 million or 2% of annual worldwide turnover.
Implications for Energy Sector Security Programs
NIS2 requires a fundamental shift in how many energy organizations approach cybersecurity — from perimeter-focused compliance to continuous risk management informed by threat intelligence. Organizations must demonstrate that their security measures are proportionate to the actual threat landscape they face, which requires ongoing consumption and operationalization of sector-specific threat intelligence. The requirement for supply chain security assessment is particularly impactful for energy companies with complex vendor ecosystems spanning IT, OT, and telecommunications providers.
Defensive Recommendations
- Implement IT/OT network segmentation with monitoring — Deploy industrial demilitarized zones (iDMZ) between IT and OT networks. All traffic crossing the IT/OT boundary should traverse monitored pathways with protocol-aware inspection. Implement one-way data diodes for the most critical control zones.
- Deploy OT-specific threat detection — Implement passive network monitoring solutions capable of understanding industrial protocols (Modbus, DNP3, IEC 61850, OPC) and detecting anomalous behavior patterns. Traditional IT security tools lack the protocol awareness to identify ICS-specific attack indicators.
- Eliminate internet exposure of ICS/SCADA systems — Conduct regular external attack surface assessments to identify and remediate internet-exposed industrial systems. Replace direct remote access with secure, monitored jump servers with multi-factor authentication.
- Develop OT-specific incident response capabilities — Create incident response plans that address the unique challenges of OT environments: safety implications, process dependencies, limited maintenance windows, and the need to maintain physical processes during investigation and recovery.
- Integrate threat intelligence into OT security operations — Subscribe to ICS-specific threat intelligence feeds (including ICS-CERT advisories, Dragos WorldView, and Dark Angel's critical infrastructure intelligence) and integrate indicators of compromise into OT network monitoring.
- Conduct threat-led penetration testing — Perform annual TIBER-EU style threat-led penetration testing that simulates realistic attack scenarios based on the current threat landscape, including both IT-to-OT lateral movement and direct ICS protocol manipulation scenarios.
- Prepare for NIS2 compliance — Conduct a NIS2 gap assessment, implement required risk management measures, establish incident reporting capabilities, and assess supply chain security. Engage management body on their personal obligations under the directive.
- Address Volt Typhoon-style pre-positioning — Implement enhanced monitoring for living-off-the-land techniques in both IT and OT environments. Audit SOHO networking equipment, VPN appliances, and other edge devices for signs of compromise. Deploy behavioral detection that identifies anomalous use of legitimate tools.
Methodology
This report synthesizes intelligence from Dark Angel's continuous monitoring of threats to critical infrastructure and energy environments. Sources include ICS-CERT and CISA advisories, ENISA incident reports, industrial control system vulnerability disclosures, energy sector ISAC intelligence sharing, dark web monitoring for energy sector targeting discussions, and analysis of 120+ energy sector security incidents from January 2023 through May 2025. Internet-facing ICS exposure data is derived from Shodan, Censys, and Dark Angel's proprietary scanning infrastructure. Confidence assessments follow the Admiralty Code framework.
Protect Your Critical Infrastructure
Dark Angel provides specialized threat intelligence for energy and critical infrastructure organizations, including OT network exposure monitoring, ICS vulnerability tracking, and nation-state threat assessment.
Request an Infrastructure Briefing