A Rising Tide of Threats: The Offshore Energy Industry’s Threat Landscape

Key Findings:

• Qilin was the top ransomware group targeting the energy sector between October 2024 and October 2025.
• 56% of ransomware victims in the energy sector were based in the US and Canada.
• We observed threat actors distributing malware via fraudulent apps, such as RecipeLister and AppSuite PDF Editor, to energy companies this year via malicious advertisements on Google Ads.

Offshore energy operators are navigating a period of elevated and complex cyber risk.

In 2023, operational technology (OT) and industrial control system (ICS) security incidents were three times more likely to be attacked, compared to any other industrial sector. UK-based utility companies were particularly hard hit, experiencing a 586% jump in attacks from 2022 to 2023. Additionally, last year, the focus of NATO’s Annual Roundtable on Energy Security was physical and cyberattacks against offshore wind farms and undersea cables, highlighting the growing need to secure critical security infrastructure.

Digital systems sit at the center of power generation, pipeline logistics, drilling and lifting operations, and the control of offshore wind assets. This means a cyberattack no longer only disrupts back-office systems, but can spill into safety, environmental impact, market volatility, and service availability at sea and on shore.

Figure 1. A threat actor on a dark web forum is looking for information on critical infrastructure entities including the energy sector.

Offshore energy installations, such as wind turbines, oil and gas drilling platforms, are especially attractive to cybercriminals because their operations depend not only on remote connectivity, but good weather for crews to attend to any issues at the facility. When the weather makes such a trip dangerous, crews must suspend critical work until it is safe to operate.

Figure 2. A threat actor is looking for energy sector network access for potential attacks.

Criminals understand when crews can and cannot operate and use this knowledge to increase their leverage during extortion. Maritime safety alerts document how dynamic positioning (DP) failures or sensor issues can force pauses in drilling or heavy-lift, which makes any cyber-driven outage more expensive.

This blog frames those risks in clear business terms and links them to practical controls that can be implemented across mixed IT, OT, and maritime environments.

Ransomware Attacks Against Power-generating Companies

Ransomware groups go where downtime hurts most. Energy and offshore operations have very low tolerance for disruption because delays cascade into safety risk, environmental exposure, and market impact. Criminals know that a halted pipeline or a vessel that must suspend drilling is costly by the hour, so victims feel intense pressure to restore systems fast. Public evidence from Colonial Pipeline shows how a single ransomware event produced fuel shortages and forced rapid recovery decisions, including a confirmed ransom payment, which was partially recovered by the FBI. Offshore, leading-edge rig day rates commonly run in the hundreds of thousands of dollars per day, so even short pauses create large losses that amplify extortion leverage.

Figure 3. Inc ransomware attack claims against Tonga Power, Tonga’s state-owned electricity provider.

Although ransomware attacks against critical infrastructure have been an ongoing threat across countries, in recent years, the energy sector has continuously seen an uptick in these pervasive and unforgiving attacks.

LevelBlue SpiderLabs’ own research data supports this fact. In our 2025 Risk Radar Report: Energy and Utilities Sector report, we found that there has been a staggering 80% year-over-year increase in ransomware activity in the energy sector.

After looking at different ransomware groups’ data leak sites, the SpiderLabs team discovered that Qilin was the top ransomware group targeting the energy sector between October 2024 and October 2025.

Qilin is a Russian-speaking cybercrime organization that has been linked to a number of incidents. The group is known for its aggressive tactics and high-value targeting strategy, making it the most active group targeting the energy sector.

Table 1. The number of ransomware victims belonging to the energy sector exposed on ransomware actors’ respective data leak portals.

Based on the data, the following regional patterns also emerged:

• 56% of ransomware victims in the energy sector were based in the US and Canada.
• A significant number of ransomware attacks occurred in the Asia-Pacific region, specifically targeting energy companies in Australia, India, Indonesia, Singapore, and Thailand.
• In Europe, there was a moderate level of ransomware attacks targeting energy companies, especially those located in Germany, the UK, France, and Italy.
• A growing number of ransomware attacks targeting energy companies in Latin America (Brazil, Argentina, Chile, and Colombia) was also seen.
• Ransomware actors also targeted some energy companies in Middle Eastern countries such as the UAE, Qatar, Oman, and Jordan.
• There was limited ransomware activity in Africa (Kenya, Uganda, and Botswana).

The data also points to ransomware actors targeting the following critical infrastructure:

• SCADA Systems: Industrial control systems
• Energy Management: Grid control and monitoring systems
• Remote Facilities: Offshore and remote energy installations
• Supply Chain: Energy service providers

Energy companies hold data that criminals can monetize in several ways. This includes operational plans, engineering files, trading and customer information, and sustainability or carbon reporting datasets. Some incidents affecting energy vendors, such as the Schneider Electric (end of 2024), illustrate how attackers exfiltrate sensitive data and then pressure both the supplier and downstream clients with double and triple extortion.

Earlier this year, Canada-based Nova Scotia Power experienced a ransomware attack that affected its IT and network operations. The company was forced to shut down affected servers causing operational disruptions and customer service delays.

During the unauthorized intrusion, ransomware actors stole certain customer information, including names, phone numbers, email addresses, and customers’ payment, billing, and credit histories. In an update published on May 23, the energy company confirmed that the ransomware actors published customers’ stolen data and that they did not pay the ransom amount. Affected customers were informed accordingly and were offered an initial two-year credit monitoring service, which was later expanded to a five-year service, for free.

Data Leaks Affecting the Energy Sector

The material taken from energy companies and their vendors spans engineering and operational documents, identity data, contracts, and internal communications, which criminals reuse for targeted phishing and follow-on access. 

Figure 4. A threat actor shares access to some panels that they claimed to have obtained by hacking into an energy company.

Last year, Halliburton, a Texas-based energy services company, confirmed that a security incident led to the exfiltration of company information, including limited access to portions of the company’s business applications that support its operations and corporate functions.

Supply-chain breaches amplified this exposure during the MOVEit campaign, where attackers stole files at Siemens Energy, Shell’s Australian unit, and multiple US Department of Energy entities via a single file transfer flaw, with hundreds of organizations ultimately listed as victims. Even when core operations are not disrupted, leaked datasets create long tails of risk for employees, customers, and partners. Once published, energy sector leaks are hard to contain. Adversaries and third-party trackers catalog victims and repost archives, which keeps pressure on operators and their clients and enables repeated social engineering against field and office staff.

Figure 5. Threat actors are selling 136GB worth of data they claimed to have obtained by hacking into an Argentina-based energy company.

Even when core operations are not disrupted, leaked datasets create long tails of risk for employees, customers, and partners.

Figure 6. A dark web forum post about the leaked data of a multinational conglomerate operating across different industries, including the energy sector.

Once published, energy sector leaks are hard to contain. Adversaries and third-party trackers catalog victims and repost archives, which keeps pressure on operators and their clients and enables repeated social engineering against field and office staff.

Access to Energy Companies on the Dark Web

Initial-access sales against energy and offshore operators are a steady feature of underground forums. Brokers obtain footholds through stolen credentials and exploited edge devices, then selling “network access” to the bidder. Listings commonly advertise RDP or VPN entry, name the victim’s country and revenue, and use auction shorthand like start, step and blitz to signal opening bid, increment and buy-now. 

Figure 7. A restored dark web advertisement of a threat actor selling access to an energy company.

Pricing is designed to move quickly. Recent access-broker review shows most corporate listings sell in the low hundreds of dollars, with typical bands between about $500 and $3,000, and occasional five-figure asks for high-value environments. Access types have shifted from mostly RDP toward more VPN and other remote services, reflecting how attackers now harvest credentials at scale and abuse perimeter gear. These markets feed ransomware and data-theft crews. The marketplaces and forums show a stable volume of broker posts year over year, with many offerings bundled with usable user privileges, making it faster for buyers to pivot to file servers, email and OT-adjacent jump hosts.

Figure 8. A restored dark web advertisement claims to offer full access to the Bangladesh Power Development Board.

These markets feed ransomware and data-theft crews. The marketplaces and forums show a stable volume of broker posts year over year, with many offerings bundled with usable user privileges, making it faster for buyers to pivot to file servers, email, and OT-adjacent jump hosts.

Malware Attacks

We observed threat actors distributing specific malware to energy companies this year via malicious advertisements on Google Ads.

In June 2025, we observed threat actors distributing malware via a fraudulent RecipeLister app in the energy sector via malvertising. Delivered through malvertising, the malware disguises as a recipe utility app. The executable uses NSIS (Nullsoft Scriptable Install System) to silently install the Electron app in the temporary user directory and launch it without user interaction. Upon installation, the malware hijacks sensitive credentials and enables the threat actor to establish persistence and run remote commands.

Figure 9. The malicious RecipeLister utility app.

In August, we found cybercriminals distributing the AppSuite PDF backdoor to energy companies via malicious advertisements on Google Ads. Also referred to as “PDFEditor” or “ManualFinder,” AppSuite PDF is a trojanized app that is distributed via legitimate-looking websites for credential theft and proxy creation.

Based on our observation, the malicious “AppSuite-PDF.msi” file was directly downloaded by users through browsers across multiple systems. The malware disguises itself as a legitimate PDF viewer and is downloadable through different websites. The application enables the threat actor to establish persistence and run remote commands.

Figure 10. The malicious AppSuite PDF Editor.

Phishing Attacks

Phishing is a popular attack vector across all sectors, including the energy industry. According to a Security Magazine report, phishing is responsible for 34% of attacks targeting OT and ICS systems in 2023.

Recently, a phishing scam dubbed “Power Parasites” started targeting energy companies by mimicking energy firms’ web and social media branding to fool potential job applicants and investors into unwittingly providing their sensitive personal and banking information.

Aside from creating legitimate-looking landing pages, Power Parasites actors also abuse communication platforms such as Telegram to dupe victims and carry out their attacks. Majority of Power Parasites victims are located in Bangladesh, Nepal, and India.

According to reports, the Power Parasites team exploited the branding of well-known energy companies, including Siemens Energy, Schneider Electric, EDF Energy, Repsol S.A., and Suncor Energy.

Conclusion

While offshore energy companies are heavily focused on creating clean energy that boosts economies, creates jobs, and addresses great energy demands, that should not be their sole concern. As the tides continue to rise in the form of ever-evolving and surging cybersecurity challenges, offshore energy organizations must prioritize security to keep their operations running unimpeded. In the Energy Cyber Priority 2023 report, a DNV survey that involved 600 energy professionals, 64% of respondents believed that their organizations were more vulnerable to cyberattacks, and 59% stated that their companies would invest in cybersecurity for the 2023 to 2024 period.

Offshore energy companies can remain secure and resilient via anomaly-based intrusion detection systems, AI-powered predictive maintenance, and intelligent automation, ensuring the expansion of renewable energy endeavors worldwide.

How LevelBlue Can Help You

LevelBlue’s MailMarshal, our AI- and ML-powered email security platform, assists in blocking email attacks that can lead to ransomware, credential theft, and data leaks. Our platform uses the MailMarshal Blended Threat Module (BTM), backed by the PageML machine learning system, which checks links in emails in real-time to identify and block malicious sites.