Press Room
Cipher reports 43% rise in cyberattacks against essential infrastructure in spain in 2024
The sector has been the focus of state-backed cyberespionage, sabotage, destructive OT malware, sophisticated hacktivism and disinformation campaigns aimed at undermining public trust.
Madrid, May 29, 2025 – Cipher, the cybersecurity division of Prosegur Group, has reported a 43% increase in cyberattacks against essential service operators in Spain during 2024. Its cyber intelligence division, Unit x63, highlights the focus on the energy sector, as critical infrastructure, which accounted for 9% of the total. This upward trend, continuing into 2025, points to a growing number of threats from espionage, sabotage and the exfiltration of sensitive data, reflecting the increasing sophistication and persistence of cyber attackers.
In early 2025, Cipher’s Unit x63 confirmed that several Spanish energy companies were targeted by ransomware campaigns, hit by data leaks and the subsequent sale of information on underground forums. Globally, geopolitical tensions have intensified attacks on sensitive infrastructure. Notable actors include Babuk2, using classic infiltration techniques; AgencyInt, known for mass data leaks; and “crocs”, involved in trafficking sensitive data, though no direct attacks have been confirmed.
Highlighting the growing danger, Santiago Anaya, Global Chief Technology Officer at Cipher, says: "Beyond economic or reputational consequences, cyberattacks in the energy sector also pose real risks to physical safety. A breach affecting industrial control systems—such as pressure monitors in refineries, safety systems in nuclear plants, or automated controls in critical infrastructure—could lead to serious consequences, including explosions or hazardous releases."
Threat landscape: key types of cyberattack targeting the energy sector
Cipher’s Unit x63 has compiled an in-depth threat analysis of attacks affecting critical infrastructure, offering an updated, structured overview of the sector through close monitoring of active campaigns, relevant actors, and emerging vulnerabilities.
• Cyberespionage
Cyberespionage in the energy sector aims to covertly obtain critical information such as facility blueprints, proprietary technologies and strategic contracts. These attacks are typically state-sponsored or executed by Advanced Persistent Threat (APT) groups looking to gain geopolitical or economic advantage—or laying the groundwork for future sabotage. There has been a huge increase in these activities, particularly in OT/SCADA environments. Key actors include Volt Typhoon (China), Berserk Bear/Dragonfly (Russia), GRAPHITE (Eastern Europe), Lazarus Group (North Korea), and APT33/Elfin (Iran)—all of which have histories of targeting critical infrastructure.
• Sabotage
Cyber sabotage in the energy sector seeks to disrupt or damage critical operations by targeting industrial systems such as SCADA, ICS, or PLCs. Unlike espionage, these attacks aim for destruction and demand high levels of sophistication, often linked to nation states. In 2025, the threat remains tangible, with precedents including Ukraine’s blackouts (Sandworm), attempts to deploy Industroyer2, FrostyGoop malware attacks on urban heating infrastructure, the Triton incident targeting a petrochemical plant, and the emergence of PIPEDREAM, a dangerous malware suite built to compromise energy infrastructure on a large scale.
• Critical OT Vulnerabilities (ICS/SCADA)
In 2024 and 2025, numerous critical vulnerabilities were discovered in core components of Industrial Control Systems (ICS), directly endangering the operational safety of energy infrastructure. These flaws—found in both software and hardware—can allow attackers to penetrate OT networks, disrupt processes or compromise system integrity. Increased digitization and IT-OT convergence have expanded the attack surface, requiring proactive patch management. Noteworthy cases include 46 “SolarWonder” vulnerabilities in solar inverters, CVE-2024-6407, affecting Schneider Electric’s Wiser Home devices, and several weaknesses reported by Siemens in its SCADA telecontrol platform.
• Destructive Malware
Destructive malware has become a frequent weapon in geopolitical conflicts, severely impacting the energy sector, and is designed to erase data, disable systems, or sabotage operations. They can temporarily shut down businesses and cripple key infrastructure. Well-known cases include Shamoon, which wiped 35,000 Saudi Aramco devices in 2012, NotPetya, a wiper disguised as ransomware that caused global damage in 2017, and AcidRain, used in 2022 to disable thousands of wind turbines in Europe. Other examples include KillDisk, Industroyer and Fuxnet, a hacktivist tool used to damage industrial devices.
• Hacktivism
Hacktivist activity in the energy sector is on the rise in 2025, driven by political, social, and ideological motives. Groups like Anonymous executed high-impact operations such as the 2022 breach of Rosneft’s German subsidiary, leaking vast amounts of sensitive data. Pro-Russian collectives like NoName057(16) have launched DDoS campaigns against Western critical infrastructure. In 2024, a new group named “Mr. Hamza” emerged with strong anti-globalist rhetoric. Meanwhile, GhostSec demonstrated its ability to breach Iranian SCADA systems, illustrating the growing sophistication of hacktivist threats to industrial and OT networks.
• Disinformation campaigns and undermining public trust
In 2025, disinformation campaigns aimed at the energy sector have intensified, seeking to erode public confidence in both governments and companies. Russian-led operations in Eastern Europe have targeted efforts to diversify away from Russian gas. In Spain and other European countries, false rumors of nationwide blackouts have sparked public panic. Reputational attacks using both authentic and fabricated documents have undermined trust in energy providers.
State-directed threats
Cipher’s Unit x63 has identified a growing number of threats to the energy sector from state or para-state actors focused on espionage, sabotage, and strategic control. Russia remains the leading aggressor, with veteran groups such as Sandworm and APT28 expanding their activities across Europe, joined by specialized subgroups targeting critical systems. The FSB also continues stealthy intrusions into Western power grids, often remaining undetected for extended periods.
China, Iran and North Korea have also stepped up operations. China's Volt Typhoon, active since 2023, and Iranian groups APT34 and CyberAvengers are behind global campaigns against critical infrastructure. North Korean units such as Lazarus and Kimsuky focus on energy and nuclear information. Additionally, the presence of cyber mercenaries developing tailored malware for state clients further complicates attribution and heightens supply chain risks.
Unit x63 recommendations
In 2025, the energy sector remains a prime target for global cyber threats—with ransomware being a prominent but not exclusive risk. State intrusions, disinformation campaigns, and attacks on OT systems underscore the complexity of the current threat landscape. Cipher’s Unit x63 recommends an integrated strategy combining early threat detection, robust security hygiene, IT/OT network segmentation, and close cooperation with relevant authorities. Digital resilience must become as critical as physical infrastructure to ensure the continuity of this essential service.