Cyber Attacks: What the Hack
Global cyber attacks through the lens of geopolitics
COVID-19, in addition to catalyzing further digitalization — government e-services, remote work, digital currency and e-learning — has accelerated the extent to which we experience life online. People are now connected at an unprecedented scale and speed by digital technology, but this has allowed malicious online actors to behave more aggressively.
The same digital technology that allows people to connect enables global cyber threat actors to share innovations, skills and tools. This leads to growing concern from governments and businesses as cyber attacks become more frequent and more complex.
At S&P Global, we recognize that cyber risks are part of the broader geopolitical risk outlook. This means that, much like terrorism, interstate war and other security risks, we must track cyber risks to understanding the broader geopolitical risk environment.
Cyber attacks should be understood as a tool, i.e., a means by which malicious online actors can effect change designed to achieve their desired political or financial ends. As a tool, cyber attacks offer a great deal of anonymity and deniability for the actors involved.
If geopolitics and cyber attacks are inextricable, then the political and social factors that determine when cyber attacks are employed must be carefully considered. Hybrid warfare is becoming normalized, and global cyber threats to governments and companies are increasing.
Recent cyber attacks on critical infrastructure
Critical national infrastructure (CNI), such as the shipping industry and nuclear power plants, has been an especially attractive target for cyber threat actors in recent years. Cyber attacks on critical infrastructure are an effective way to maximize disruption and damage. A substantial and coordinated effort is required to protect these systems, both public and private, as they are essential to maintain state services and to ensure the business environment within a country operates smoothly.
Some states have invested in significant resources to detect and repel cyber attacks on critical infrastructure, but no country can fend off all cyber threats, and no technology is "unhackable."
Australia’s second-largest telecom company, Optus, said Sept. 22, 2022, that the personal data, including license or passport numbers, of nearly 10 million customers was leaked by hackers. Australian Cyber Security Minister Clare O’Neil said the data breach was caused by vulnerabilities at Optus as the hack “was not particularly technologically challenging.” A ransom demand was reportedly made for US$1 million in cryptocurrency in exchange for the data, but Optus did not comment on whether the ransom demand was authentic.
According to experts, hackers have also maintained a constant campaign of cyber attacks against Ukrainian, NATO, EU and other Western entities, principally targeting government and defense-related organizations. Cyber security analysts have suggested that hackers affiliated with Russian military intelligence are becoming more aggressive and more direct in their attacks.
The European Parliament website was inaccessible due to a cyber attack for several hours in late 2022, soon after legislators passed a resolution denouncing Russia as a "state sponsor of terrorism"; a pro-Kremlin group subsequently claimed responsibility for the cyber attack. Separately, the Microsoft Security Threat Intelligence Center has attributed cyber attacks against Ukrainian and Polish transport and security organizations to hackers backed by the GRU, Russia's military intelligence directorate.
Moldova’s Information Technology and Cyber Security Service (SIS) said in January 2023 that a coordinated phishing attack on government bodies and institutions was attempted. Hackers reportedly targeted more than 1,300 email accounts associated with government services.
This highlights an ongoing battle against cyber risks for Moldova, which recorded a sharp increase in the number of attempted cyber attacks in 2022, possibly due to its support of Ukraine amid the Russia–Ukraine war. On Oct. 24, 2023, SIS announced that it had blocked access to 22 websites owned or controlled by the Russian government on national security grounds. Russia’s foreign ministry described Moldova’s move a “hostile step.”
With bilateral relations between Moldova and Russia continuing to deteriorate, the latest development will likely increase the likelihood of retaliatory cyberattacks by, most probably, Russian-based or Russian-linked hackers against government and private sector IT networks in Moldova, including against media outlets, government websites and critical national infrastructure (CNI) such as power, water and gas distribution networks.
Meanwhile, Italy’s Cyber Security Agency said on Aug. 1, 2023, that websites of at least five Italian banks had been hit by distributed denial-of-service (DDoS) cyber attacks, reportedly originating from Russia, causing widespread disruption to online banking services.
The risk of Russian cyber attacks against Western states providing political, military, financial and humanitarian support to Ukraine has remained elevated and any announcement by Western governments of new sanctions or new support programs for Ukraine in the near future might trigger more similar cyber attacks on critical infrastructure. The most likely targets will be government websites, those of public and privately owned media outlets, defense-sector firms, financial institutions and other critical national infrastructures.
Another more recent cyber attack happened in Sri Lanka; the government of Sri Lanka confirmed on Sept. 11,2023, that a ransomware cyber attack by an unknown threat actor had exfiltrated months of data from the Lanka Government Cloud system. The cyber attack impacted nearly 5,000 email addresses of government employees, including the accounts of the Council of Ministers and other top government authorities. There were no backups between May 17 and Aug. 26, resulting in permanent loss of data from that time.
The Sri Lankan’s national computer emergency readiness team (SLCERT) has opened an investigation into the attacks, although it is likely that the threat actors exploited a vulnerability in a previous version of Microsoft Exchange as it had not been updated.
Cyber attacks on the energy sector
According to the latest update of S&P Global Commodity Insights’ Energy Security Sentinel, cyber attacks on energy and commodities infrastructure had escalated sharply in 2022, reaching a new annual record high with a total of 15 recorded incidents.
Only two cyber attacks targeted the energy market in the second quarter of 2022. This increased to five incidents in the third quarter of the same year. These incidents were focused on the power, gas and nuclear sectors rather than oil.
Lithuania's state-owned energy group Ignitis, Ukraine's state nuclear power company Energoatom and Greece's largest natural gas supplier DESFA were among the companies hit by cyber security incidents over this period.
In regard to 2023, there have been a total of six recorded incidents of cyber attacks on energy and commodities infrastructure as of June 2023. Energy infrastructure in several European countries are on high alert due to a rise in cyber threats as the West tightens sanctions on Russia over its invasion of Ukraine. This has forced them to reevaluate energy security priorities since the invasion. Denmark's Danish Broadcasting Corporation released a report on April 19, 2023, saying that a Russian military program is currently plotting offshore wind farms, gas pipelines and power and internet cables in the waters around Denmark, Norway, Finland and Sweden.
The investigation warned that Moscow is planning to cut the power and data supply in this region in order to sabotage the key energy infrastructure. Norway, Denmark and the UK, in particular, have bolstered efforts to increase security around their offshore oil and gas installations and pipelines.
Use of ransomware in energy industry cyber attacks
Being one of the most cyber attacked industries, ransomware cyber attacks have become an issue for the energy industry. Ransomware typically begins as a phishing attack, an exploitation of internet-exposed vulnerable software or an IT hygiene deficiency (a misconfiguration of an internet-exposed system).
The attacker takes control of the underlying system and can then move to other systems across the network. The malware broadly disables the network, allowing the attacker to hold the target for ransom until it pays, at which time the attacker usually sends a decryption key to unlock the target’s files.
The first major reported ransomware cyber attack within the energy industry was the 2017 WannaCry ransomware attack, with WannaCry being a ransomware variant developed by North Korea that spread widely from company to company to impact businesses across the globe.
In May 2021, the Colonial Pipeline ransomware cyber attack by the DarkSide group raised ransomware alerts across the sector. Colonial was not the first energy company to experience a ransomware attack in 2021. It was not even the only pipeline company to suffer one that month.
The most sensational and well-publicized results of the Colonial incident — the pipeline shutdown and the resulting gasoline shortages and gasoline hoarding — were the result of Colonial’s decision to shut certain systems down for safety, not the result of encryption of those systems.
Investment in cyber security as a necessary part of the energy transition
Cyber security in global power systems is a necessary pillar of the energy transition, yet investment in this area has struggled to keep pace with investment in next-generation power resources, smart grids and electrification. Since 2010, seven instances of unique malware cyber attacks have targeted the industrial control systems that reside on the operational technology networks, as opposed to IT networks, of the bulk electric system.
Meanwhile, vulnerabilities to global cyber attacks stemming from internet of things devices have flourished throughout the power distribution segment. Cyber security represents a unique business expense for energy transition investors, one that cannot be categorized as a variable or fixed cost.
Cyber security requires continuous investment in an area where best practices are a moving target due to its evolutionary, adversarial and asymmetric nature.
Some of the key features of the energy transition exacerbate the need for cyber security investment in the power industry. For example, the electrification of new industries makes the grid an increasingly valuable target for adversarial nation states, or state actors looking to disrupt economies as well as non-state actors looking to extract a ransom.
In this sense, cyber security deserves attention as a key coefficient of the energy transition equation.
Final thoughts on geopolitical dynamics in cyber attacks
Political context is a critical factor when considering the likelihood of a country or company being targeted for significant cyber attacks. Nation-state actors who perform targeted intrusions to inflict damage, disrupt or steal valuable information at the behest of a government are usually the most capable and best-resourced cyber threat actors. Cyber criminals, cyber threat actors who perform malicious attacks for financial gain, may also operate within this context at the behest of nation-state actors.
We believe that approaching global cyber attacks and digital threats from a geopolitical perspective permits a better understanding of the motivations, capabilities and exposure of both cyber threat actors and their targets.