A recent ReliaQuest report revealed a significant 42 percent increase in ransomware attacks on the utilities sector between Nov. 1, last year, and Oct. 31, this year. During this period, 75 companies were listed on ransomware data leak sites. This surge is likely due to attackers taking advantage of the sector’s critical need to maintain operational continuity and manage sensitive data and infrastructure. It added that the most prevalent attack types targeting the sector include spearphishing with links and attachments; internal spearphishing, and DNS application layer protocol.
“Ransomware groups such as ‘Play’ are likely concentrating their attacks on this sector because of the need for utilities organizations to always be operational,” ReliaQuest said in its report titled ‘Threat Landscape Report Uncovering Critical Cyber Threats to Utilities.’ “Characterized by a complex blend of IT and operational technology (OT) technologies, the utilities sector is also particularly susceptible to spearphishing attacks. Our data reveals that 81% of all true-positive alerts for our utilities customers are related to spearphishing, compared to just 23% across other sectors. The sector’s OT environments face specific risks due to existing vulnerabilities, as these systems often rely on legacy infrastructure that can be challenging to update.”
Additionally, utilities organizations should invest in automated responses, defense-in-depth strategies, and employee education to best protect against these risks. ReliaQuest customers who’ve adopted automated incident response have managed to contain threats in just two minutes, compared to 21 hours with manual responses.
It added that utility companies are consistently popular targets for ransomware groups, who use the threat of disrupting critical services to pressure these organizations into paying ransom quickly to restore operations. Additionally, their management of sensitive data and infrastructure makes utilities companies high-value targets for financial gain and strategic leverage. The surge in attacks over the past year is likely connected to the continued growth of ransomware-as-a-service (RaaS) operations and the general increase in ransomware activity observed throughout 2024.
Furthermore, the potential cost of operational losses and regulatory fines can exceed ransom demands, often incentivizing companies to pay attackers for quick service restoration. Research shows a disconnect between risk and budget in OT environments, where 66 percent of respondents identify ‘people’ as the biggest risk, yet 52 percent of budgets are allocated to technology, with only 25 percent dedicated to workforce training, recruitment, and retention.
The escalating ransomware attacks on utilities companies are a worrying trend for this industry sector. To supplement its reliance on OT systems, the sector is increasingly adopting industrial Internet of Things (IIoT) technologies, which prioritize operability over cybersecurity. This leaves many critical systems with unaddressed vulnerabilities that ransomware operators could exploit if they ramp up their focus on the sector.
Additionally, smaller utilities companies often lack the budget to update or upgrade legacy systems, making them prime targets for ransomware. Researchers have suggested that a ransomware attack could lead to losses averaging 31 percent of operating income for small energy providers, compared to 13 percent for medium and 2 percent for large entities.
“In the 12 months leading up to our reporting period, the RaaS provider ‘Play’ (akaPlayCrypt) listed three utilities sector victims on its data-leak site. From November 2023 to the end of October 2024, this number increased to ten,” ReliaQuest reported. “Despite still trailing behind the first-place ‘LockBit’ group in targeting utilities, the February 2024 law enforcement operations against LockBit have narrowed the gap to just one utility’s victim. This increase is significant, as Play targeted only three utilities sector companies in the same period last year, marking a 233% rise in successful attacks.”
It added that identifying the exact reasons for Play’s increased targeting of utilities sector companies is challenging, but the ongoing shifts in the ransomware landscape likely play a significant role. Analysis of Play’s targeting patterns shows that while the group does not focus on specific sectors, it prefers large organizations, with known targets including medical, financial, manufacturing, real estate, and educational institutions. This preference for sizable organizations makes utilities companies attractive targets due to their typically large scale.
Furthermore, the upheaval in the ransomware environment means newer groups like Play may aim to target high-profile entities to garner maximum attention in both media and cybercriminal circles. This heightened visibility could help Play attract affiliates from declining groups like LockBit or disbanded groups like ‘ALPHV.’
ReliaQuest detailed that in early February 2024, multiple US intelligence agencies issued an advisory on the urgent cyber threat from China. They specifically warned critical national infrastructure (CNI) organizations about state-sponsored adversaries, naming Volt Typhoon as a group poised to conduct disruptive or destructive cyberattacks against US CNI. The FBI also warned that the Volt Typhoon had already infiltrated the IT environments of US communications, energy, transportation, and water companies. They alleged that Volt Typhoon seeks to preposition itself’ on IT networks to enable lateral movement to OT assets to disrupt functions.’
Volt Typhoon typically gains initial access via targeted spearphishing campaigns and exploiting vulnerabilities in old or unpatched networking appliances like routers. The group is known for its robust operational security, allowing it to remain undetected for extended periods, sometimes even over five years. By using living-off-the-land (LOTL) techniques, the group exploits a system’s native tools and processes to evade detection, customizing its attack based on thorough research of the target organization. Volt Typhoon also frequently uses RDP with compromised administrator credentials to move laterally within infiltrated networks.
Volt Typhoon poses a significant threat to utilities companies because of its ability to deeply embed itself within networks, making it nearly impossible to remove intruders without causing downtime. Once inside, these attackers often have a deep understanding of infiltrated networks, allowing them to remain undetected and maintain a persistent presence. In this context, it’s realistically possible that even traditional downtime responses like reboots, isolations, and reimaging may be insufficient, as groups such as Volt Typhoon use sophisticated persistence methods across multiple endpoints.
The report also disclosed that around 81 percent of alerts from utilities customers involved spearphishing—whether internal, with links, or with attachments, which is significantly higher than the 23 percent observed across all sectors during the same period, highlighting a unique vulnerability within the utilities sector. This trend is likely explained by the unusual position of utilities employees, who often have access to IT and OT environments.
“With their legacy infrastructure and critical need to avoid downtime, OT systems typically have weaker cybersecurity defenses. This means attackers can use spearphishing to more easily exploit these vulnerabilities,” ReliaQuest added. “Once they’ve compromised a less secure OT system,they can then pivot to a more fortified IT environment, effectively bypassing its stronger security measures.”
Armed with access to an organization’s IT and OT systems, adversaries can exploit vulnerabilities on multiple fronts, potentially even gaining control over critical infrastructure. This access is a significant concern for utilities companies, as it presents various risk scenarios. In the short term, attackers could disrupt essential services like electricity and water supply, causing immediate societal and economic chaos. Alternatively, threat actors might choose to remain undetected within these systems, mapping out the architecture for potential future sabotage at strategically chosen times.
In conclusion, the ReliaQuest report has examined the various threats facing the utilities sector, a common theme emerges: the convergence of IT and OT systems is expanding the attack surface, increasing organizational vulnerability to cyber threats. Adversaries are taking advantage of the interconnectedness and often weaker security measures of OT environments through tactics such as spearphishing, ransomware, and targeting open ports. Utilities companies should consider how investments in IT security can bolster their OT systems and support continuous modernization of their business.
“Hacktivist groups, nation-state actors like Volt Typhoon, and cybercriminals are all exploiting these vulnerabilities to disrupt critical infrastructure. This underscores the urgent need for utilities companies to adopt comprehensive security strategies, including automated incident response to rapidly contain threats,” the report added. “Extending robust security protocols to third parties and contractors is also vital in preventing them from becoming weak links in their security operations. In addition, organizations mustn’t overlook the importance of proper employee training to enhance vigilance against phishing attempts.”
Lastly, utilities sector organizations can harden their overall security posture by implementing a comprehensive digital risk protection(DRP) strategy and tailored defensive solutions to proactively counter ransomware and credential abuse from dark-web sales, mitigating risks before they escalate into serious threats.