A new study from the Karlsruhe Institute of Technology shows how geopolitical tensions shape cyberattacks on power grids, fuel systems, and other critical infrastructure.
How the research was done
Researchers reviewed major cyber threat databases including MITRE ATT&CK Groups, CSIS, ThaiCERT, Malpedia, EuRepoC, and the AI Incident Database. Each source reports information differently. Some use structured formats like JSON or tables that are easy to analyze. Others rely on long descriptive text that is harder to process. In some cases, geography is missing entirely.
To address this, the authors built a pipeline using the Gemini 1.5-flash-latest model. The AI was tasked with turning free text into structured fields that identify the origin country, the target country, and whether the incident was energy related.
Flow of the generative-AI parsing pipeline, from raw description to structured JSON
They tested the pipeline against a baseline rule-based system. The AI parser reached 84 percent accuracy, compared with 81 percent for the rule-based version. More importantly, it improved recall for energy-related cases from 66 to 77 percent, while keeping precision high.
Patterns in threat activity
The study confirms that geopolitics shapes targets, motives, and attack patterns. Comparing threat actor origins and targets revealed differences between general cyber activity and energy-specific campaigns.
Specialized targeting: General threats originate widely and hit many sectors. Energy incidents cluster more tightly, suggesting certain actors develop skills and access specific to energy infrastructure.
Regional concentration: Russia and China dominate origins across datasets, while the U.S. is a frequent general target. For energy incidents, Malpedia data highlights the Middle East as a top target.
Conflict correlation: Conflict aligns with attack spikes. The Russia.Ukraine timeline accelerates after 2022. Israel-Palestine shows periodic surges during clashes. China-Taiwan shows steadier, long-term activity.
Alliance clustering: When origins are grouped by alliances, non-energy threats are often linked to BRICS members. Energy incidents show higher shares tied to NATO members or countries outside both NATO and BRICS, depending on the dataset.
What detection data shows
The study also looked at how well different types of security tools detect indicators of compromise tied to energy-related malware. The sample came from Malpedia and was tested through VirusTotal.
The results show a gap. Static machine learning engines detected about 47 percent of malicious indicators. Traditional or hybrid antivirus engines performed better, with detection rates closer to 88 percent.
While ML systems are advancing, traditional approaches still hold an edge when malware is crafted for industrial and energy environments. Tuning and the quality of telemetry play a significant role.
How attackers use AI
Attackers are experimenting with generative AI, and several groups have already integrated these tools into their workflows.
- SweetSpecter, suspected to be China-based, uses AI services for reconnaissance, vulnerability research, and scripting.
- CyberAv3ngers, suspected to be linked to Iran, uses GPT models to study programmable logic controllers and has conducted disruptive operations against industrial control systems, including those tied to energy.
- STORM-0817, also linked to Iran, uses AI for malware debugging, code assistance, and reconnaissance support.
Despite these cases, explicit reporting of AI-related attacks on the energy sector remains limited in public databases. This may reflect underreporting rather than low usage.
Database gaps still limit analysis
One of the consistent challenges highlighted by the study is the inconsistency across threat databases. Some resources are highly structured and allow for automation. Others are descriptive and require manual parsing or AI support. Some, like the AI Incident Database, often omit geographic origins and targets entirely.
This lack of standardization makes it difficult to compare data across sources or to build a comprehensive geopolitical picture. The authors argue that structured reporting should become the norm, since it enables more consistent analysis and cross-database comparisons.
