The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the energy industry, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the energy industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the energy industry.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation, based on both human research input and automated ingestions.
Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.
Each attack campaign may target multiple organizations across various countries.
Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.
Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.
Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.
In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations, where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.
During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.
ADVANCED PERSISTENT THREAT ATTACK CAMPAIGNS
Energy organizations featured in 7 out of the 17 observed campaigns, which is a presence in 41% of campaigns.
Observed Campaigns per Month
The monthly chart shows an increase in detections throughout December and early January. This coincides with a broader uptick in the detection of Chinese cyber activity during the same period.
Suspected Threat Actors
The majority of detections are linked to Mustang Panda with overlapping TTPs of other known China-APT41 nexus, collectively tracked as Mission2025.
GEOGRAPHICAL DISTRIBUTION
Victims of observed attack campaigns were recorded in 17 different countries. India recorded the most victims in campaigns which included energy industry.
The overall geographical distribution of victims aligns with Chinese strategic objectives.
TOP ATTACKED TECHNOLOGY
Attack campaigns focused on Web Applications, Operating Systems and Application Infrastructure.
Risk Level Indicator: Medium
In the past 90 days, the energy industry has experienced fluctuating levels of risk, alternating between periods of high and low detection volumes. Primary threat actors in this sector include Chinese groups Mustang Panda and APT41-nexus (tracked as Mission2025). Russian actors such as Fancy and Cozy Bears, along with TA505, were also observed.
Geographically, the most targeted regions were India, Vietnam, and Japan, with the Philippines, Vietnam, and South Korea following closely. Southeast Asia witnessed an increase in attack volumes, previously associated with heightened activity by the Lazarus Group, but the current surge is attributed to Chinese nation-sponsored activity.
Web applications remain the most frequently targeted technology across various industries, closely followed by operating systems in terms of susceptibility. Additionally, cyberattacks targeting application infrastructure and infrastructure-as-a-service were observed.
Over the past 3 months, CYFIRMA’s telemetry recorded 13,117 phishing campaigns out of a total of 332,232 that impersonated the energy industry organizations.
As per the chart below energy accounted for 3.95% of all observed phishing campaigns. A noticeable increase from 0.03% in the previous 90-day snapshot.
Global Distribution of Phishing Themes per Sector
Top Impersonated Brands
In total 4 energy organizations were observed with Gazprom being responsible for 99.95% of all detections.
Top Countries of Origin based on ASN
ASN origin of observed campaigns paints an interesting picture. The Netherlands is the source of majority of Gazprom phishing, with some sent from the USA as well.
Risk Level Indicator: Low
The energy industry experienced a significant surge in impersonations, rising from 0.03% to 3.95% in the past 90 days, indicating a notable hundred times increase in volume. The surge can be attributed primarily to Gazprom; the Russian natural gas giant, which accounted for 99.95% of all observed phishing attempts with an energy theme. Other observed campaigns targeted a limited number of Swiss, Italian, and Polish organizations.
Analysis of ASN origin data reveals that the majority of Gazprom-themed phishing attacks originated from the Netherlands.
Despite the increase in volume, the energy sector maintains a relatively low risk for phishing impersonations due to its highly fragmented nature, preventing widespread ‘spray and pray’ campaigns.
In the past 90 days, CYFIRMA has identified 62 verified ransomware victims within the energy industry sectors. This accounts for 5.5% of the overall total of 1,131 ransomware incidents during the same period.
The Monthly Activity Chart
The monthly activity chart shows a downward trend even when adjusted for the partial months of November and February.
Breakdown of Monthly activity by Gangs
A breakdown of monthly activity offers insights into group-specific patterns. Notably, LockBit3 and Blackbasta were responsible for the elevated numbers in December, while ALHPV, Hunters, and Trigona are currently driving activity in February.
Ransomware Victims in Energy Industry per Group
In total 19 out of 52 groups recorded energy organization victims in the past 90 days. The top 4 are responsible for half of them.
Comparison to All Ransomware Victims by Group
Comparing the energy industry to all recorded victims, ALPHV and Blackbasta stand out with a relatively high share of victims within the energy sector, indicating heightened interest in targeting this industry.
Geographic Distribution Of Victims
The heatmap of geographic distribution shows a truly global reach of ransomware
Total Victims per Country
In total 24 countries recorded ransomware victims with the US alone accounting for ~42% of all victims with identified geography.
Sectors Distribution
Listing consolidated sectors matched under the energy industry umbrella shows Energy & Power Distribution and Services, as the most attacked sectors. Furthermore, we observe a diverse range of impacted sectors, including many niches.
Risk Level Indicator: Medium
The monthly activity data over the past 90 days reveals a decline, after a previous upward trend, resulting in a medium-risk level. Energy industry victims accounted for 5.5% of all recorded victims, reflecting a slight increase from 4.8%.
Among the 52 groups recording victims, ALPHV, LockBit3, Blackbasta, and 8base recorded the highest numbers, collectively representing half of all victims. Particularly, ALPHV and Blackbasta exhibited a relatively high number of energy victims, compared to their overall victim count, suggesting a potentially heightened interest in the energy sector. Conversely, the Play gang recorded only a single energy victim out of 69.
Ransomware incidents targeting the energy industry were recorded in 24 different countries, with the USA accounting for 42% of all cases, followed by Canada and Germany. A noteworthy observation is the emerging spillover into other regions, including Qatar and Saudi Arabia in the Middle East, and Vietnam, Malaysia, and Thailand in Southeast Asia.
Lastly, the most compromised sectors were Energy & Power Solutions and Distribution, Energy Services, and Oil & Gas Exploration and Production.
For a comprehensive, up-to-date global ransomware tracking report on a monthly basis, please refer to our new monthly “Tracking Ransomware” series here.
In the external threat landscape of the energy industry, we observe a medium to low risk across monitored categories.
Ransomware remains a significant concern, with energy organizations comprising 5.5% of all victims in the last 90 days. ALPHV and Blackbasta exhibit a notable focus on this industry, while LockBit3 and 8base pose high risks due to their overall volume of ransomware attacks.
Phishing, although showing an increase from 0.03% to 3.95% in observed campaigns, maintains a low risk. This is primarily attributed to all new detections being isolated to Gazprom; the Russian natural gas giant, impersonations. The rest of the energy sector remains overlooked due to its fragmented nature, making it unsuitable for widespread phishing campaigns.
Observed Advanced Persistent Threat (APT) campaigns have dropped to a moderate risk, as the past 90 days were relatively quiet, with the exception of December. During that period, there was a broader uptick in Chinese nation-state campaigns by Mustang Panda and APT41-nexus (Mission2025). This uptick also included some energy industry victims.