The year 2025 has confirmed that energy remains one of the sectors most targeted by cyber criminals; for this insight, the most significant incidents reported in official reports and announcements have been selected. Evidence points to an 80 % rise in ransomware activity compared with 2024 and a global geographical spread. The proliferation of industrial devices and cloud services has enlarged the attack surface, and the convergence between IT (Information Technology) and OT (Operational Technology) networks allows criminals to move laterally.

Ransomware attacks have had a tangible impact on operational continuity. The US contractor ENGlobal suffered an intrusion that knocked out financial applications, while CenterPoint Energy had to manage data leaks linked to supply‑chain vulnerabilities. In Asia, NightSpire disabled the control systems of a regional supplier for 18 days, and a similar compromise at Pakistan Petroleum Limited was contained by isolating IT services. These cases show that suppliers and subcontractors are also targets, not just the major utilities.

Alongside opportunistic crime, 2025 saw an increase in campaigns sponsored by governments and hacktivists. A group linked to Beijing exploited SharePoint vulnerabilities to infiltrate the U.S. Nuclear Weapons Agency; the Curly COMrades’ MucorAgent malware exfiltrated data from Georgian bodies and Moldovan firms; the Noisy Bear APT sent malicious emails to employees of Kazakhstan’s state oil company; in Europe more than 450 political attacks hit Polish agencies and energy operators. These episodes show how espionage and information warfare have taken root in the sector.

Systemic vulnerabilities amplify the exposure. A survey of 21 US energy firms identified nearly 60,000 services exposed online, thousands of which are associated with known exploits; many of these ports are non‑standard or IPv6‑based, making monitoring difficult. According to NERC, weak points in the US electricity grid are growing by about 60 per day and the memory of the 2023 Danish attack underscores the fragility of interconnected systems. The adoption of poorly protected IoT devices and the complexity of the supply chain create unexpected paths that attackers exploit.

The evolution of offensive techniques completes the picture. A Sophos survey found that 67 % of energy companies have suffered at least one attack and Zscaler reports an 18 % increase in intrusions. Ransomware‑as‑a‑Service (RaaS) platforms combine pre‑packed kits and support, while artificial intelligence generates phishing emails and polymorphic malware. Concerns are growing about quantum computing, and new regulations such as NIS2, the Cyber Resilience Act and the AI Act impose risk‑management practices for critical infrastructures.

Key observations

• Steep growth in attacks – Ransomware campaigns in 2025 recorded an 80 % increase and about two‑thirds of energy organisations reported having suffered at least one attack. The incidents affected large utilities and smaller suppliers, causing prolonged downtime and demonstrating that ransomware has shifted from mere extortion to a threat to operational continuity.
• Expansion of the IT/OT attack surface – The digitisation of facilities and the convergence between IT and operational networks have widened intrusion vectors. Thousands of services exposed on non‑standard ports or IPv6 addresses and a rate of dozens of new vulnerable points per day make defence difficult. Poor segmentation between IT and OT allows an attacker to move from a compromised email to an industrial control system.
• Hacktivism and targeted espionage – In 2025 numerous operations linked to governments and political movements emerged. Chinese groups targeted US nuclear networks, while pro‑Russian collectives launched DDoS attacks against Polish and Latin‑American infrastructures. Campaigns such as Noisy Bear and MucorAgent combined spear‑phishing and malware to harvest sensitive data. This blend of hacktivism and espionage confirms that the energy sector is a strategic target.
• RaaS and artificial intelligence – RaaS platforms have democratised cyber‑crime by providing attack kits with customer support. The use of artificial intelligence makes it possible to generate personalised phishing messages, tailor the ransom to the victim and create shapeshifting malware. These innovations increase the frequency and effectiveness of attacks and are prompting insurers to reassess cover and premiums.
• Post‑quantum threats and emerging regulations – The advent of quantum computing could render current encryption techniques obsolete; many firms lack a plan to migrate to resilient algorithms. At the same time, regulations such as NIS2, the Cyber Resilience Act and the AI Act impose risk‑management practices, timely notifications and secure‑by‑design principles. These obligations will require investment in post‑quantum cryptography, supply‑chain security and AI governance.

Why it matters

• Impact on security and economy – Cyber intrusions can interrupt the production and distribution of energy. Episodes such as ENGlobal and NightSpire show that a single attack can result in weeks of downtime, with economic losses, higher costs for consumers and reputational damage. Cyber security thus becomes an essential element for market and societal stability.
• Lateral movement between IT and OT – Attackers exploit the lack of segmentation to pass from enterprise networks to industrial control systems. A phishing email or a stolen credential can lead to the manipulation of physical parameters, putting the safety of plants and workers at risk. Segmentation, access control and multifactor authentication are indispensable.
• Geopolitics and hybrid conflict – State‑sponsored groups and hacktivists use cyber‑attacks as a tool of geopolitical pressure. Coordinated campaigns accompany military and diplomatic tensions, aiming to weaken critical infrastructures and sway public opinion. Defending the energy sector is therefore also a matter of national security.
• Fragility of the supply chain – The vastness of the attack surface is also due to poorly protected IoT devices and vulnerabilities in vendor products. The MOVEit incident shows how a bug in third‑party software can spread rapidly. Regular audits and intelligence sharing are needed to identify and correct vulnerabilities in the supply chain.
• Evolution of crime and regulatory pressure – The combination of RaaS, artificial intelligence and imminent quantum computing is changing the face of crime. At the same time increasingly stringent regulations make boards accountable for security choices. The majority of CEOs in the sector have increased cyber investment, but skills and governance are required to turn those investments into resilience.

Looking ahead

• AI‑powered RaaS and bespoke attacks – Future criminal platforms will use artificial‑intelligence models to generate polymorphic malware, set ransom amounts and adapt to defences. Firms will need to develop behavioural detection systems, sandboxing and awareness campaigns to anticipate these attacks.
• New vectors in a convergent world – The spread of 5G, edge computing and digital twins creates new entry points. Misconfigured IoT devices or vulnerabilities in telemetry systems can lead to cascading compromises. Adoption of standards such as ISA/IEC 62443 and continuous monitoring of the Industrial IoT are essential.
• Post‑quantum transition and compliance – To prepare for the quantum era, companies must map current use of encryption, set replacement priorities and work with vendors and regulators to adopt post‑quantum algorithms. In the meantime, they will have to comply with regulations such as NIS2, CRA and the AI Act, which require risk management and timely reporting of violations.
• Dynamic defences and integrated governance – A reactive approach is no longer sufficient: zero‑trust architectures, network segmentation, strong authentication and end‑to‑end encryption are needed. Governance must unite IT, OT and risk management, including crisis simulations, continuous training and cyber‑insurance assessments to reduce recovery time and downtime costs.

Our perspective

• Collaboration and shared intelligence – Confronting a global threat requires collaboration between companies, institutions and academia. Sharing indicators of compromise, attack techniques and best practices through networks such as ISACs and initiatives from ENISA and the DOE can improve collective ability to prevent and respond.
• Resilience at the heart of strategy – Resilience must be seen as a priority: offline backups, business continuity plans, recovery drills and the ability to operate in an isolated mode are essential. Resilience should be integrated into the design of networks and plants, reducing response times and protecting workers and citizens.
• Ethical use of AI and respect for the AI Act – Harnessing artificial intelligence for defence requires privacy governance, quality datasets and audits to prevent bias. The European AI regulation imposes transparency and responsibility in the use of automated systems; training staff and working with certified suppliers helps to build a trustworthy ecosystem.
• Quantum planning and regulatory alignment – The transition to post‑quantum cryptography requires a medium‑term roadmap and investment in research and training. Anticipating compliance with regulations (NIS2, CRA, AI Act, SEC Disclosure) strengthens stakeholder confidence and offers a competitive advantage. Making security a pillar of the growth strategy is the key to facing future challenges.

Attacks on the energy sector in 2025 show that threats are multidimensional and evolving. IT/OT convergence, the adoption of artificial intelligence and the arrival of quantum computing require proactive defences, international cooperation and regulatory attention. Only by investing in resilience, ethical innovation and preparation for the post‑quantum era can the sector ensure the continuity of an infrastructure that powers the digital society.