A silent cyber siege is battering Spain’s critical infrastructure as cyberattacks on essential buildings increased by 43% during 2024. The attacks have been particularly focused on the energy sector, which accounts for 9% of these attacks, a trend that continues so far this year due to the growth in threats of espionage, sabotage, and the leakage of sensitive data. This is reflected in the latest analyses by the x63 Unit, part of the cybersecurity division of the Prosegur Group, which indicate that, during the first months of 2025, several cyberattacks in the form of ransomware campaigns targeting Spanish energy companies have already been identified, as well as data leaks and the sale of information on clandestine forums.
In particular, Spain’s electrical grid has proven to be structurally weak. On April 28, a massive blackout plunged Spain, Portugal, and parts of southern France into darkness for nearly an entire day. In this context, experts from Cipher’s x63 Unit have shared some of the main cyber threats that have affected these critical infrastructures, both during 2024 and in the first months of 2025.
What are the key bad actors?
Among the main actors in these cyberattacks are groups such as Babuk2, which uses traditional infiltration techniques, as well as the group AgencyInt, which specialises in the mass leaking of personal data. In the same vein, the participation of the threat actor “Crocodilus” has also been identified, which has been linked to the sale of sensitive information from this type of organisation or infrastructure. However, the x63 Unit has clarified that no evidence of direct cyberattacks by this malicious actor has been found.
Likewise, they have clarified that many of the threats come from state actors and, among them, Russia, with groups of malicious actors such as Sandworm or APT28 expanding their attacks towards Europe. There has also been an increase in cyberattacks from countries such as China, Iran, and North Korea, highlighting groups such as Volt Typhoon, APT34, and CyberAvengers.
“Beyond economic or reputational implications, cyberattacks in the energy sector also pose important risks to physical security,” highlights Cipher’s Global Director of Technology, Santiago Anaya, who emphasises that an incident affecting industrial control systems, such as safety systems in nuclear plants, “could lead to serious consequences, including explosions.”
Cyberespionage and sabotage
In this regard, one of the identified threats is related to cyberespionage, which, applied to the energy sector, this kind of cyberattacks aims at obtaining relevant sensitive information such as facility blueprints, proprietary technologies, or strategic contracts.
These cyberespionage attacks are usually driven by state actors or Advanced Persistent Threat (APT) groups, who seek to acquire geopolitical or economic advantage or even to prepare for future sabotage.
Thus, in the period of 2024 and 2025, the x63 Unit team has recorded a “significant” increase in these cyberattack campaigns, mainly in operational technology (OT) environments and in supervisory control and data acquisition (SCADA) systems. Among the malicious actors identified are the Chinese group Volt Typhoon, the Russian group Berserk Bear (also known as Dragonfly) and North Korea’s Lazarus Group.
In the same vein, techniques of cyber sabotage have also been identified, aimed at interrupting or damaging the operation of critical infrastructures through attacks on industrial systems. Unlike espionage, these methods attack destructively and, therefore, require a high level of sophistication.
This year, these types of cyberattacks have intensified, as seen in cases such as the blackouts in Ukraine carried out by the Russian hacker group Sandworm. Similarly, experts have recorded the use of the malware FrostyGoop to disrupt district heating services, the attack with the Triton malware on a petrochemical plant, and the Pipedream suite API, designed to compromise energy infrastructures.
