A new global dataset of 119 cyber incidents in the energy sector between 2022 and 2024 shows that the EU and BRICS countries, followed by the US, are the most affected. Attacks targeted power, oil, gas and nuclear infrastructure, driven by both financial and political motives, involving various threat actors.
Researchers from the University of Belgrade in Serbia have compiled a global dataset of all reported cybersecurity threats and incidents affecting energy infrastructure and found that The European Union and the BRICS countries are the worst affected, followed by the United States.
The dataset covers the period 2022-2024 and includes all cyber attacks on power plants, oil and gas infrastructure, nuclear power plants and district heating networks.
“Unlike most existing works, this study took a broader approach by using an integrated review, incorporating gray literature as a key source for building the dataset. The use of gray literature was motivated by the goal of collecting information on the most recent incidents,” the scientists said.
Gray literature includes research and information produced by governments, academic institutions, companies and industry that is not managed or published through commercial channels.
In total, the dataset includes 119 incidents, of which 53 in 2022, 27 in 2023 and 39 in 2024.
The attacks targeted the energy infrastructure of some of the world’s largest companies, including Finland’s Fortum, Spain’s Repsol and Iberdrola, Italy’s Eni and Acea, France’s Engie, Israel Electric Company, Russia’s Gazprom, Lukoil and Rosneft, Estonia’s Eesti Energia, Greece’s Public Power Corporation (PPC), India’s Tata Power, Taiwan’s Taipower, Ukraine’s Oblenergo, South Africa’s Eskom and US-based Devon, among many others, including smaller energy companies.
One notable incident involved the Italian energy agency Gestore dei Servizi Energetici (GSE), which, as a state-owned company under the Ministry of Economy and Finance, plays a central role in regulating and supporting the renewable energy market. GSE administers incentive programs, allocates government funding, and oversees access procedures for renewable energy support, while ensuring regulatory compliance.
The research categorizes cyber incidents into three types: distributed denial-of-service (DDoS) attacks, which overwhelm systems or networks and disrupt access; ransomware, where attackers block resources and demand payment to restore access or protect data; and malware, which includes any malicious software that compromises the security, confidentiality, integrity or availability of a system.
Motives are classified as financial or political, with political motives such as espionage, sabotage and hacktivism, which the scientists describe as ideologically driven politics to discredit.
The dataset shows that in 2022, most cyber incidents occurred in the EU and BRICS countries, led by Russia and Germany, with notable impacts in Eastern and Southeastern Europe and Central Asia. In 2023 and 2024, the focus shifted to North America and Asia, with the United States being the hardest hit country and Israel becoming a major target. Overall, the geographic pattern shifted from Europe and the BRICS to North America and Asia over the three years.
Image:
University of Belgrade, Energy Policy, CC BY 4.0
“The energy sector dominated among the most affected subsectors with 36% of recorded incidents, followed by the oil sector and the natural gas sector, which accounted for 25% and 23% respectively,” the researchers noted, without providing data separating renewable and conventional energy infrastructure. “Additionally, taking into account 8% of incidents in the nuclear sector alone reinforces the impression of the attractiveness and vulnerability of the energy sector, which accounts for a total of 44%.”
The dataset also shows that financially motivated attacks targeted power (37%), natural gas (32%) and oil (28%), mainly in North America and Europe, while politically motivated attacks were dominated by hacktivism (47%), followed by espionage (36%) and sabotage (16%), often linked to geopolitical conflict. Ransomware was the most common attack type (51%) and mainly caused data theft, while malware (17%) targeted both activity and data.
All types of threat actors were involved, including cybercriminals, hacktivists, espionage groups, and national cyber armies.
“The research shows that all types of threats are present at the same time, and are increasing in intensity, sophistication and impact potential,” the research group emphasized. “The cyber threat landscape is characterized by a diverse group of actors, including state-sponsored groups, cybercriminals and hacktivists, often with overlapping agendas and motivations ranging from financial gain to political influence, geostrategic and industrial competition and physical disruption.”
“It is also notable that while financial motivation still dominates attacks, incidents are increasingly taking on certain political connotations as a result of geopolitical rivalries and armed conflicts,” the academics concluded. “This is reflected in the increasingly common extensive espionage campaigns or the creation of sophisticated, specially designed tools that can have far-reaching consequences.”
The dataset was presented in “Cyber threats and energy security: development and analysis of an incident dataset for the period 2022-2024”, published in Energy policy.
This content is copyrighted and may not be reused. If you would like to collaborate with us and reuse some of our content, please contact: editors@pv-magazine.com.
Popular content
