New research from CYFIRMA identified that energy and utilities organizations remain firmly in the sights of nation-state cyber actors. Data revealed that the sector appeared in 66.6% of all observed APT (advanced persistent threat) campaigns over the last three months, making it one of the most heavily targeted industries by state-linked groups. This comes as monthly activity remains uneven, with quieter periods punctuated by spikes in campaign activity. Despite this volatility, the energy and utilities sector has consistently appeared in approximately 35% of observed APT campaigns over the past six months, indicating sustained long-term interest from threat actors.
Data revealed that Chinese threat actor Mustang Panda, North Korea’s Lazarus Group, and Russia-linked Sandworm were among the most active adversaries, with attacks spanning 18 countries. Japan was affected in all four observed campaigns, while the U.S., the U.K., Australia, and Germany each appeared in three of the four incidents. Web applications remained most frequently targeted technology, alongside operating systems and infrastructure-as-a-service environments.
While APT activity drove the sector’s risk rating higher, ransomware and phishing threats remained comparatively lower. CYFIRMA recorded 35 verified ransomware victims across the energy and utilities industry over the period, representing 2.8% of all ransomware victims globally. LockBit3 accounted for 34% of attacks against the sector, although researchers found no evidence that any ransomware group is specifically focused on energy and utilities organizations.
“Observed APT campaigns are heavily concentrated around suspected China-linked, state-sponsored actors, with MISSION2074 recording the highest campaign count by a considerable margin across all sectors this period,” CYFIRMA wrote in its research. “Stone Panda, Hafnium, Lotus Blossom, Volt Typhoon, Earth Estries, and Salt Typhoon provide additional China-aligned representation, making this one of the most China-concentrated actor profiles observed.”
It added that, “North Korea-associated Lazarus Group appears across two campaigns, consistent with known DPRK interest in energy sector targets. Iran-linked Charming Kitten also features, while no Russia-linked actors are observed this period. Financially motivated actor TA505 appears in a single campaign, reinforcing that activity is primarily driven by strategic intelligence and infrastructure reconnaissance objectives.”
The research mentioned that OT/ICS attacks dominated the period, accounting for the majority of observed activity. Ransomware appeared in the first and last 30 days, indicating persistent financially motivated targeting alongside state-sponsored activity. Wiper attacks and AI-assisted attacks each appeared twice, both concentrated in the previous 30 days, with the Venezuelan Lotus wiper campaign and an AI-driven attack against Mexican energy infrastructure representing the most notable cases.
At the same time, CYFIRMA detected more than 34,000 energy-themed phishing campaigns, the overwhelming majority impersonating Russian energy giant Gazprom. Despite the volume, researchers assessed phishing risk as low due to the highly regionalized nature of the campaigns and the fragmented structure of the industry, which limits opportunities for large-scale monetization.
Based on observed trajectory across the two reporting periods, the energy and utilities sector external threat landscape is expected to remain at Elevated or higher through the next 90 days. Campaign presence increased from 32% to 37% of all observed campaigns, with MISSION2074 maintaining dominant activity and the broader China-linked actor cluster showing no indicators of reduced tempo.
Campaign activity continued to rise during the reporting period, increasing from six of 19 observed campaigns to 10 of 27 campaigns. This upward trend suggests that threat activity is expanding rather than stabilizing, making 11 to 15 energy and utilities sector campaigns over the next 90 days a reasonable baseline expectation.
MISSION2074 recorded the highest number of campaigns by a significant margin across all sectors during the reporting period. Alongside persistent activity from Stone Panda, Hafnium, and Volt Typhoon, the broader China-linked actor cluster is expected to sustain or increase its operational tempo, with no evidence indicating a slowdown.
When it comes to targeting remote desktop software, VPN solutions, and routers, CYFIRMA highlighted a continued focus on obtaining and maintaining remote access rather than conducting solely data collection operations. As a result, energy sector organizations with exposed remote access interfaces or unpatched network infrastructure face the greatest near-term risk.
The U.S. recorded highest number of victims during the reporting period, followed by Japan, the U.K., and India. North America and the Indo-Pacific region are therefore expected to remain primary target areas, while European energy infrastructure is also likely to face elevated exposure given the meaningful victim counts observed in France, Germany, and Italy.
Presence of the North Korea-linked Lazarus Group and Iran-linked Charming Kitten alongside the dominant China-linked threat cluster demonstrates that the sector is being targeted by multiple advanced actors with differing objectives. Given the overlap in targeted technologies and attack methods, defenders should prioritize detection strategies focused on TTPs (tactics, techniques, and procedures) rather than relying primarily on actor-specific indicators of compromise.
CYFIRMA reported that over the period, DeCYFIR and DeTCT platforms tracked 788 cyber incidents reported publicly. We could identify the industry for 586 of these incidents (74%).
“The energy & utilities industry was detected in 26 incidents, which equals 4.44% of the incidents where we knew the industry, ranking 6th out of 14 industries,” the research disclosed. “The energy and utilities sector faced sustained and diverse cyber activity across the 90 days. Iranian state-linked actor CyberAv3ngers maintained the most consistent presence, conducting repeated OT/ICS attacks against US critical infrastructure, targeting programmable logic controllers and fuel tank monitoring systems. Activity persisted across multiple periods, indicating an ongoing campaign rather than isolated incidents.”
It added that Venezuela’s energy sector was hit with destructive wiper attacks using Lotus malware, causing significant disruption. “Russia-linked actors targeted energy infrastructure in Poland and Sweden, with the Swedish case attributed to pro-Russian hacktivists attempting to breach a thermal power plant. China-linked FamousSparrow was identified as targeting an energy firm in Azerbaijan, consistent with broader state-sponsored interest in energy sector intelligence.”
“Ransomware activity was also present, with Cl0p compromising a UK water company and a separate ransomware attack hitting a North Dakota water treatment plant. Both cases highlight continued targeting of water and utilities infrastructure by financially motivated actors alongside state-sponsored threats,” the report highlighted. “The period also saw an AI-assisted attack targeting Mexican energy infrastructure, which failed to breach OT systems, and Iranian APT activity targeting UAE energy and government entities.”
Looking ahead, CYFIRMA reported that the threat level facing the energy and utilities sector over the next 90 days remains high, driven by a combination of persistent nation-state activity, expanding destructive capabilities, and continued targeting of critical infrastructure.
Iran-linked threat actors are expected to remain a significant concern. CyberAv3ngers maintained sustained operational activity throughout the reporting period, repeatedly targeting U.S. critical infrastructure, including programmable logic controllers (PLCs) and fuel tank monitoring systems. Given ongoing geopolitical tensions and the continued exposure of internet-facing industrial devices, there is little indication that this activity will decline in the near term.
The risk of destructive cyber operations is also increasing. The Lotus wiper campaign targeting Venezuelan energy infrastructure demonstrated a willingness to pursue attacks capable of causing operational disruption rather than simply collecting intelligence or stealing data. Combined with similar destructive activity previously associated with Russia-linked actors targeting European energy organizations, the threat of disruptive and potentially physically impactful attacks is becoming more geographically widespread.
Ransomware groups continue to view utilities as attractive targets. Cl0p and other unattributed ransomware operators maintained interest in water and utility infrastructure during the reporting period, while the discovery that a breach at a UK water company remained undetected for nearly two years highlights the ongoing challenge of long attacker dwell times within critical infrastructure environments.
Emergence of AI-assisted attacks against operational technology environments also warrants close attention. Although the first publicly observed AI-driven attack targeting energy OT infrastructure in Mexico was unsuccessful, it demonstrates that threat actors are actively experimenting with AI-enabled capabilities. As these techniques mature, future attacks are likely to become more sophisticated, adaptive, and effective, increasing pressure on defenders to identify and mitigate emerging threats before they can impact operations.
