Full Report
Semperis claims 62% of water and electricity providers were hit by cyber-attacks in the past year
Analysis Summary
# Incident Report: Widespread Destructive Cyber Attacks on US/UK Critical Infrastructure
## Executive Summary
Over the past year, a significant majority (62%) of US and British electricity and water firms were targeted by cyber-attacks, with destructive outcomes being a primary feature. A prevalent attack vector targeted "Tier 0" identity systems, such as Active Directory, allowing attackers to gain high levels of control. Nearly 60% of targeted organizations experienced disruptions to normal operations, and over half suffered permanent data or system corruption.
## Incident Details
- Discovery Date: Findings published April 3, 2025 (Based on one year of retrospectively collected data).
- Incident Date: Occurred throughout the preceding year.
- Affected Organization: IT and security professionals polled at 350 water treatment plants and electricity operators in the US and UK.
- Sector: Critical Infrastructure (Electricity and Water Utilities).
- Geography: United States and United Kingdom.
## Timeline of Events
### Initial Access
- Date/Time: Ongoing throughout the year preceding the report (April 2024 - April 2025).
- Vector: Targeting of "Tier 0" identity systems (Active Directory, Entra ID, Okta).
- Details: 82% of recorded attacks focused on these identity platforms, indicating an initial goal of achieving network dominance.
### Lateral Movement
- Not explicitly detailed, but implied through the focus on Tier 0 systems, suggesting movement aimed at gaining control over operational technology (OT) environments or core IT infrastructure following credential compromise.
### Data Exfiltration/Impact
- 59% revealed that the attack disrupted normal operations.
- 54% reported permanent corruption or destruction of data or systems.
### Detection & Response
- Discovery was based on an industry-wide survey conducted by Semperis, indicating that organizations were aware of or responding to multiple incidents yearly.
- Response actions are not detailed in the excerpt, but the impact measurements suggest that traditional response methods failed to prevent significant operational damage.
## Attack Methodology
- **Initial Access:** Compromise of foundational identity systems (Tier 0 assets).
- **Persistence:** Not detailed.
- **Privilege Escalation:** Implied through targeting Tier 0/Identity systems, which typically grants domain administrator rights.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Implied exploitation of identity management infrastructure.
- **Discovery:** Not detailed.
- **Lateral Movement:** Implied movement following compromise of central identity services.
- **Collection:** Not detailed.
- **Exfiltration:** Not detailed, but functional disruption and data destruction were primary outcomes.
- **Impact:** Destructive impact resulting in operational disruption and permanent data/system corruption.
## Impact Assessment
- **Financial:** Not quantified, but expected to be high due to operational shutdowns and system rebuilding.
- **Data Breach:** 54% of affected organizations suffered permanent corruption/destruction of data or systems.
- **Operational:** 59% of targeted organizations experienced disruption to normal business operations.
- **Reputational:** Not explicitly stated, but significant impact on public confidence regarding essential utility provision (water/power).
## Indicators of Compromise
- **Network indicators:** None specified (Defanged).
- **File indicators:** None specified.
- **Behavioral indicators:** High frequency of attacks; attempts to compromise identity management platforms (AD, Entra ID, Okta).
## Response Actions
- **Containment measures:** Not detailed.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Implied requirement for extensive recovery due to 54% reporting permanent corruption.
## Lessons Learned
- Attacks against critical infrastructure (water/electricity) are overwhelmingly focused on causing severe disruption and destruction, not just espionage.
- Identity systems (Tier 0 assets) represent the single most critical and frequently targeted point of failure in these sectors.
- Organizations are relying too heavily on external parties ("somebody else") to secure critical national infrastructure.
## Recommendations
- Organizations in the electricity and water sectors must immediately prioritize the hardening and segmentation of "Tier 0" identity systems (Active Directory, Entra ID, Okta).
- Implement stronger monitoring and multi-factor authentication specifically around identity services to prevent complete network control via initial compromise.
- Develop and rigorously test disaster recovery plans optimized for recovery from permanent data/system destruction, rather than just downtime.
- Improve internal resilience and shift the security mindset away from reliance on abstracted defense layers.