Cipherprosegur cybersecurity division through its unit x63 Unithas detected a 43% of cyber attacks performed against essential operators in Spain during 2024. This increase especially affects critical infrastructures of the energy sector, which represent 9% of the total. The trend, which remains so far from 2025, reveals growth in threats oriented to espionage, sabotage and filtration of sensitive data, reflecting the growing sophistication and persistence of the attackers.
In the first months of 2025, the analysis of the X63 UNIT confirms that several Spanish energy companies have been the target of ransomware, leak and sale of information in clandestine forums. Globally, geopolitical tensions have intensified these campaigns against sensitive infrastructure. Among the outstanding actors are Babuk2, with traditional infiltration techniques; Agencyint, specialized in the massive filtration of personal data; and «crocs», linked to the marketing of sensitive information, although without clear evidence of direct attacks.
Santiago AnayaGlobal Chief Technology Officer of Cipher, has affirmed that, “beyond the economic or reputational implications, cyber attacks in the energy sector also propose potential risks for physical safety. An incident that affects industrial control systems – as pressure monitors in refineries, safety systems in nuclear plants or automated controls in critical infrastructure serious, including explosions or dangerous releases. ”
Radiography of threats: The main types of cyber attacks to the energy sector
Cipher X63 Unit experts have developed an analysis of the main threats that affect critical infrastructure, with the aim of offering an updated and structured vision of the sector, through an exhaustive monitoring of active campaigns, relevant actors and emerging vulnerability.
- Cyberspione: Cyberspage in the energy sector seeks to obtain undercover critical information, such as facilities plans, proprietary technologies or strategic contracts. These attacks, generally driven by state actors or APT groups, are intended to acquire geopolitical or economic advantage, or prepare future sabotage. In the 2024-2025 period there has been a significant increase in these campaigns, with special focus on OT/Scada environments. Among the most relevant actors are Volt Typhoon (China), Berserk Bear/Dragonfly (Russia), Graphite (Eastern Europe), Lazarus Group (North Korea) and APT33/Elfin (Iran), all of them with history in operations directed against critical infrastructure.
- Sabotage: Cybernetic sabotage in the energy sector seeks to interrupt or damage the functioning of critical infrastructure through attacks on industrial systems such as SCADA, ICS or PLC. Unlike espionage, these attacks pursue destructive effects and require a high level of sophistication, typical of state actors. In 2025, the threat is tangible, with a history such as the blackouts in Ukraine (Sandworm), the attempt to display Industroyer2, the Frostygoop malware against urban heating, the attack with Triton to a petrochemical plant, and the detection of the dangerous Pipedream suite, designed to compromise large -scale energy infrastructure.
- Critical vulnerabilities in OT systems (ICS/SCADA): During 2024 and 2025 multiple critical vulnerabilities have been discovered in key components of industrial control systems (ICS), directly affecting the operational safety of energy infrastructure. These failures, present in both software and hardware, can be used to access OT networks, interrupt processes or compromise the integrity of critical systems. The digitalization of the sector and the IT-OT convergence have expanded the attack surface, demanding a proactive management of patches. Among the most relevant cases include the 46 “Solarwonder” vulnerabilities in solar investors, the CVE-2024-6407 on Wiser Home Home from Schneider Electric devices, and several failures notified by Siemens on its Telecontrol Scada platform.
- Destructive malware: The use of purely destructive malware has become a recurring tool in geopolitical conflicts, serious affecting the energy sector. This type of malicious software seeks to erase data, disable systems or sabotage critical operations, with impacts ranging from the paralysis of companies to the loss of control over infrastructure. Emblematic cases include Shamoon, which in 2012 deleted 35,000 teams from Saudi Aramco; Notpetya, a wiper disguised as ransomware that caused global ravages in 2017; and Acidrain, used in 2022 to remotely deactivate thousands of wind turbines in Europe. Killdisk and Industroyer also highlight in attacks on the Ukrainian Electricity, as well as the use of malware such as Fuxnet by hacktivist groups to damage industrial devices.
- Hacktivismo: Hackivism in the energy sector continues to increase during 2025, driven by political, social and ideological motivations. Groups such as Anonymous carried out high impact operations, such as the attack on the German subsidiary of Rosneft in 2022, extracting large volumes of sensitive information. In parallel, pro -Russian groups such as noname057 (16) have conducted service denial (DDOS) campaigns against Western critical infrastructure. In 2024, the “Mr. Hamza” group emerged, with hostile speeches towards international organizations. GhostSec also demonstrated the ability to infiltrate Iranian SCADA systems, reflecting the growing sophistication of hackivist attacks on industrial networks and OT.
- Misinformation campaigns and attacks on public trust: In 2025, misinformation campaigns aimed at the energy sector intensify, seeking to erode public confidence in governments and companies. Russian operations stand out in Eastern Europe, aimed at discrediting energy diversification efforts after reducing Russian gas dependence. At the same time, in Spain and other European countries, unfounded rumors circulate on mass blackouts, generating social alarm. In addition, attacks on the reputation of energy suppliers by disseminating real or false documents undermine the credibility of the sector.
Instructions of state origin
The X63 unit of Cipher He has identified that a large part of the threats to the energy sector come from state or para-state actors, whose objective is espionage, sabotage and strategic control. Russia remains the main aggressor, with veteran groups such as Sandworm and APT28 Expanding their attacks on Europe, in addition to new subgroups specialized in critical infrastructure. The FSB also maintains persistent intrusions in Western electrical networks, often detected after long hidden periods.
China, Iran and North Korea They have also intensified their activity in the sector. They highlight the Chinese Group Volt Typhoonactive since 2023, and the Iranians APT34 y CyberAvengerswith global campaigns against critical infrastructure. North Korea operates with Lazarus and Kimsuky, focused on energy and nuclear information. In addition, it is alerted to mercenary actors that develop custom malware for governments, complicating the attribution and increasing risks in the energy supply chain.
Recommendations of the X63 Unit
In 2025, the energy sector remains one of the main targets of the global cyber threat, with ransomware as a prominent vector, but not exclusive. State intrusions, misinformation campaigns and attacks on OT systems underline the complexity of the current panorama. From the X63 Unit of Cipher it is recommended to adopt a comprehensive strategy that combines early detection, security hygiene, segmentation between IT and OT environments, and constant cooperation with the competent authorities. Digital resilience must be consolidated as a pillar as critical as physical infrastructure, thus guaranteeing the continuity of an essential service that cannot be allowed interruptions.