Trustwave SpiderLabs has multiple methods and tools available to keep its teams apprised of the tactics, techniques, and procedures (TTPs) threat groups utilize during an attack, but perhaps the most useful is our cloud-native Fusion dashboard.
Fusion’s unique power to gather intelligence was utilized in the just released 2025 Trustwave Risk Radar Report: Energy and Utilities Sector where it helped Trustwave SpiderLabs understand the attack path threat actors take within the energy and utilities industry and the techniques they deploy at each stage.
How Fusion Gathers Intelligence
Trustwave Fusion is a powerful tool that connects the digital footprints of our clients to a robust security cloud comprised of the Trustwave data lake, advanced analytics, actionable threat intelligence, a wide range of security services and products, and to the Trustwave SpiderLabs team.
Fusion offers clients a single view of threats, technology management, vulnerabilities and perceived risks across an organization’s entire environment and allows Trustwave to immediately spot, analyze, and record anomalous behavior.
This ingested information can be used to build a model of how the energy and utilities sector is attacked.
Fusion’s Insights into Threat Actor Pathways
Trustwave SpiderLabs analyzed data gathered from clients through the Fusion platform to better understand the path that threat actors take within the energy and utilities industry and the techniques they deploy at each stage.
With this information in hand, Trustwave SpiderLabs could view the initial access, execution, lateral movement, and persistence techniques threat groups favor. Additionally, Fusion has tracked the most popular credential access techniques used in attacks.
- Initial Access – Phishing was the predominant method used by threat actors to infiltrate energy and utilities entities, accounting for 84% of initial access techniques. Additionally, 16% of these attacks involved exploiting public-facing applications, including F5 BIG-IP attacks that primarily leveraged the Apache Log4J vulnerability (CVE-2021-44228).
- Credential Access – Credential access techniques predominantly involved generic brute-force attacks on web-facing applications (67%). This was followed by Kerberoasting attempts (27%) and OS credential dumping from LSASS memory using Mimikatz (6%).
- Execution – Within the energy and utilities sector, execution techniques were primarily characterized by user execution of malicious files, accounting for 48%. Adversaries frequently employed social engineering tactics to persuade users to run malicious files and links. Additionally, attackers utilized command and scripting interpreter techniques (44%), predominantly leveraging PowerShell and Unix Shell commands for executing or downloading payloads.
- Lateral Movement – Attackers primarily used remote services to move laterally within energy and utility organizations, with 96% of incidents involving SMB/Windows Admin Shares and Remote Desktop Protocol (RDP). Furthermore, RDP was frequently targeted for session hijacking attempts.
- Persistence – SpiderLabs observed threat groups’ persistence techniques centered mostly on RDP (49%), local account creation (27%), account manipulation (10%), and event-triggered execution (14%); attackers attempted to hijack sticky keys binary (sethc.exe) and leverage Netsh helper DLL.
Trustwave's Fusion platform serves as a vital resource for understanding the evolving tactics and techniques employed by threat actors in the energy and utilities sector.
The data highlights the predominance of methods such as phishing in initial access and the extensive use of remote services for lateral movement, underscoring the critical need for organizations in this sector to strengthen their defenses against these prevalent attack strategies.
For all the details on the threats facing the energy and utilities sector please download the primary report, 2025 Trustwave Risk Radar Report: Energy and Utilities Sector, and its two supporting pieces of research.
