Unsophisticated Hackers Are Punching Above Their Weight in Energy Sector Cyberattacks, CISA Warns
- Cyber Jill
- May 7
- 3 min read
Updated: May 14
The cybersecurity alarms are ringing once again in the oil and gas sector—but this time, it’s not elite nation-state actors triggering them. According to a new warning issued by the Cybersecurity and Infrastructure Security Agency (CISA), it's the so-called "unsophisticated" hackers that are successfully poking holes in America’s critical infrastructure, exploiting some of the most foundational security failures in industrial networks.
CISA’s brief yet sobering alert, issued in collaboration with the FBI, EPA, and Department of Energy, highlights a growing wave of attacks targeting industrial control systems (ICS) and SCADA environments in the Energy and Transportation sectors. These systems are foundational to the operation of oil refineries, gas pipelines, and utility grids—meaning even minor disruptions can carry massive downstream effects.
Despite the attackers’ lack of technical finesse, the consequences of their actions can be anything but minor.
“These alerts are very serious and come from observed actions by these malicious actors who are compromising critical systems,” said Thomas Richards, Infrastructure Security Practice Director at Black Duck. “The motivation of the malicious actors is irrelevant, if an organization’s sensitive systems are exposed to the internet with no security hardening, they are at risk of a compromise.”
The joint advisory stops short of naming specific groups or recent incidents, but it underscores a painful truth: critical infrastructure is increasingly vulnerable not just to cyber-sophistication, but to basic failures in cyber hygiene. Default credentials, unsegmented networks, and exposed internet-facing systems remain stubbornly common.
“All security programs are on a journey,” said Trey Ford, CISO at Bugcrowd. “Failure in these seemingly obvious controls leads to certain failure and compromise.”
That reality was driven home in last year’s attacks by Iranian-linked actors, who exploited water utility control systems in the U.S. using nothing more than default login credentials. Kate Ledesma, formerly of CISA and now at Dragos, emphasized the rising threat of these "non-sophisticated" methods being used at scale.
“Things that maybe didn't cause cascading disruptions at that time… if done at scale, could have an impact on the operations of our infrastructure,” Ledesma noted.
But even as CISA flags primitive tactics, others warn of a simultaneous rise in technically advanced intrusions. Fortinet’s FortiGuard Labs, which tracks global attack trends, says the operational technology (OT) landscape is facing both ends of the spectrum.
“Threat actors are capitalizing on the convergence of IT and OT by using new attack methods previously impractical against air-gapped systems,” said Derek Manky, Fortinet’s Global VP of Threat Intelligence. “We’re seeing reconnaissance-as-a-service and Crime-as-a-Service make it easier for adversaries to map and breach critical infrastructure.”
And while basic password practices are still causing problems, attackers are increasingly blending commodity malware with more bespoke payloads designed to wreak havoc in physical environments.
“Our analysts recently noted an uptick in energy sector attacks motivated by disruption,” said Nathaniel Jones, VP of Threat Research at Darktrace. “From attacks on SCADA-connected PLC motors to successful ransomware encryptions, the aim is often to create chaos.”
What makes this moment particularly volatile is the uneven preparedness across the sector. While some organizations have embraced zero trust architectures and advanced threat detection, many others still operate legacy systems with minimal defenses. It's this disparity that malicious actors—both amateur and advanced—are eager to exploit.
“Organizations in this space should conduct a complete review of their external attack surface and identify insecure devices that are exposed,” Richards urged. “Once identified, controls should be put in place to prevent unauthorized access.”
The warning echoes a broader theme emphasized at last week’s RSA Conference: securing OT is no longer optional. Homeland Security Secretary Kristi Noem highlighted the need for continuous, proactive engagement, especially as geopolitical tensions increase the stakes.
Bugcrowd CEO Dave Gerry framed it bluntly: “This alert ties back into the broader theme that AI is enabling less sophisticated threat actors to operate in a more sophisticated fashion.”
The convergence of unsophisticated hackers with powerful off-the-shelf tools—and a vast attack surface littered with unpatched systems—creates a dangerous dynamic. It’s no longer just about defending against APTs. It’s about plugging the obvious holes before the digital amateurs with analog ambitions slip through them.
Is your infrastructure ready for that challenge?
