New data from Cyfirma shows a marked rise in cyber threats facing the sector, with energy and utilities organizations featuring in six of 14 observed advanced persistent threat campaigns, up from just two in the prior period, indicating growing adversary focus on critical infrastructure. Intelligence gathered from Cyfirma’s external threat telemetry found predominance of suspected state-linked actors, broad geographic victim distribution across the U.S., Asia, and allied nations, and primary targeting of web applications and operating systems, while ransomware victim counts surged more than 60% over the last quarter and vulnerability disclosures highlighted persistent remote code execution and increasing denial-of-service risk.
In its ‘Cyfirma Q1 2026 Energy & Utilities Industry Report,’ the findings suggest that, even as underground chatter about the sector remains relatively low compared with other industries, evolving attack patterns and expanding exposure are reshaping the external threat landscape for energy and utilities providers globally. Most of the activity over the past 90 days occurred in January. There were no observed campaigns in November, only one in December, and a new campaign already emerging within the first few days of February, suggesting the uptick is likely to continue into the next quarter.
The majority of the threat activity was attributed to China-linked groups, followed by Russian financially motivated syndicates. North Korean and Iranian groups were each linked to a single campaign during the period. However, it observed that the monthly trendline over the past 180 days shows a slow but steady increase in victims each month, ending with a sharp spike in January, ‘suggesting an elevated trend into the next quarter.’
Victims were identified from across geographic footprint, with the highest concentrations in the U.S., Japan, India, South Korea, and Australia, each accounting for six detected victims. Additional activity was observed across Europe, the Middle East, and Southeast Asia, pointing to widespread exposure rather than regionally isolated targeting. The campaigns targeted various enterprise and network technologies, with web applications and operating systems appearing most frequently. Other technology categories surfaced only sporadically, indicating varied intrusion paths across campaigns rather than dependence on a single dominant technology vector.
Energy and utilities organizations featured in six of the 14 advanced persistent threat campaigns observed, accounting for 43% of all campaigns. That marks a sharp increase from the previous period, when the sector appeared in just two of 15 campaigns, or 13% of the total. “The monthly trends show a major uptick of detections during January, with December recording 1 campaign and a few days of February already showing another detection.”
Cyfirma reported that it identified 72 verified ransomware victims in the energy and utilities sector over the past 90 days. That total represents 3.32% of the 2,169 ransomware victims recorded across all industries during the same period, ranking energy and utilities 13th out of 14 sectors. “Furthermore, a quarterly comparison shows that interest in energy & utilities organizations jumped significantly. There was an increase of 63.6% from 44 to 72 victims. The overall share also grew from 2.52% to 3.32% of all victims.”
It added that out of the 68 gangs, 26 recorded victims in the energy & utilities industry in the last 90 days, representing a 38% participation. “Qilin and Akira had the highest number of victims, however, low shares of 3.4% and 4.8% of all their victims. That means their numbers are opportunistic targeting and the large scale of their activity. Obscura (27%), Direwolf (12%), and previously mentioned 0apt (9%) showed the highest focus on this industry from groups with a meaningful number of victims.”
The report disclosed that observed activity involving energy and utilities victims is dominated by suspected China-aligned, state-sponsored actors, including Stone Panda, Volt Typhoon, APT41, APT27, Hafnium, Earth Estries, Salt Typhoon, and MISSION2074. “Middle East-aligned state activity is represented by Oilrig, while North Korea-aligned activity appears via Lazarus Group. Financially motivated intrusion sets, including FIN7, FIN11, and TA505, appear less frequently, indicating a stronger nation-state presence than criminal monetization in the observed campaigns.”
Over the past three months, Cyfirma’s telemetry identified 91 mentions of the energy and utilities industry out of a total of 2,453 industry mentions. This is from over 10k CVEs reported and updated in the last 90 days. The energy and utilities industry ranked 7th out of 14 industries in the last 90 days, with a share of 3.71% of all detected industry-linked vulnerabilities.
“Reported energy & utilities-related CVEs are dominated by remote and arbitrary code execution and injection vulnerabilities across all three 30-day periods,” according to the report. “Memory and buffer-related issues remain consistently present, while denial-of-service and resource exhaustion vulnerabilities increase sharply in the most recent period. Other vulnerability classes appear intermittently at low volumes, reflecting variable disclosure patterns rather than sustained shifts in attacker focus.”
Cyfirma noted that oil, gas, and fuels are the most frequent victims of ransomware in this industry, with electric utilities following in second place, and energy equipment and services coming third.
In conclusion, Cyfirma observed a notable increase in advanced persistent threat activity targeting the energy and utilities sector. Six of the 14 campaigns observed, or 43%, affected the sector, up from 13% in the prior period. Activity was heavily concentrated in January following a quiet November and limited activity in December, with early February already pointing to continued momentum into the next quarter.
The majority of threat activity was linked to China-associated groups, followed by Russian financially motivated actors, with isolated campaigns attributed to North Korean and Iranian groups. Victims were widely distributed, with the U.S., Japan, India, South Korea, and Australia most frequently affected, alongside spillover into Europe, the Middle East, and Southeast Asia. Campaigns primarily targeted web applications and operating systems, though intrusion paths varied, suggesting opportunistic rather than uniform targeting.
Cyfirma also found that energy and utilities accounted for 2.42% of underground and dark web chatter, ranking the sector tenth overall. Data breach and leak activity remained elevated but showed signs of decline, pointing to sustained interest paired with reduced public exposure or resale. Ransomware-related chatter was volatile, dropping sharply before partially rebounding, while discussion of web exploits, distributed denial-of-service activity, and claimed hacks remained relatively low. Hacktivist activity declined in the most recent period, reinforcing the view that financially and access-driven motives continue to dominate underground activity against the sector.
Vulnerability disclosures tied to the energy and utilities sector accounted for 3.71% of the total, placing it seventh overall. Remote code execution vulnerabilities remained persistent, underscoring ongoing risk across operational technology, industrial control systems, and energy management platforms. Denial-of-service-related disclosures spiked sharply in the latest period, highlighting rising concern over availability risks to critical infrastructure. Memory and buffer-related vulnerabilities also increased, reflecting deeper scrutiny of legacy and embedded systems, while injection and cross-site scripting findings declined overall.
Ransomware activity showed a sharp increase despite the sector ranking 13th by victim count. Cyfirma identified 72 ransomware victims, marking a 64% increase over the prior period and raising the sector’s share to 3.32%. Activity escalated steadily over several months before spiking in January, signaling a shift in attacker interest.
While high-volume ransomware groups such as Qilin and Akira targeted the sector opportunistically, newer and niche groups, including 0apt, Obscura, and Direwolf, demonstrated more focused attention. Victim geography expanded to 31 countries, with recent increases concentrated in Canada, the U.K., and Thailand rather than the U.S., suggesting a diversification in targeting strategies.
The Cyfirma data comes amidst reports of Truesec flags ‘OpDenmark’ cyber threat as the Russian Legion issued a large-scale attack warning against Denmark. CERT Polska also detailed coordinated destructive cyberattacks on more than 30 wind, solar, and combined heat and power (CHP) facilities in Poland on Dec. 29, 2025, where attackers used wiper malware and industrial network intrusion techniques to disrupt communications and OT (operational technology) systems, even though electricity and heat supply remained uninterrupted, underscoring persistent adversary interest in OT environments.
