The Energy Industry’s Hidden Risks: Espionage, Sabotage, and Insider Threats

This is a guest post from Cliff Thoburn, Head of Intelligence at RMI Global Solutions. RMI is recognized by the oil, gas, and broader energy industry on and offshore as experts in the threats and risks that face the spectrum of this key industry worldwide.

• Nation-State Insider Threats: Discover how nation-state actors infiltrate the energy sector using insiders to carry out cyber and physical sabotage.
• Recent Espionage Cases: Learn from real-world incidents of espionage and sabotage targeting critical infrastructure in the US, Europe, and beyond.
• Protective Strategies: Get actionable insights on strengthening your organization’s defenses with robust insider threat management and security measures.

The cybersecurity risks nation-state actors pose to the energy sector through insider threats are well documented. However, organizations must also recognize that adversaries may go even further by placing agents inside their operations to carry out physical, real-world actions on their behalf.

The recent spate of arrests across the US and Europe of individuals providing material support to China and Russia are reminders that organizations must remain situationally aware of their cyber and physical threat landscape. The threats arrayed against the energy sector are robust as the adversaries are intent on disrupting the industry that most helps maintain the "Wests' way of life", so it's important to consider the impact of espionage, sabotage, and insider threats, both cyber and physical.

Examining the Threat

Let’s start by looking at a few high-profile attacks against energy sector targets that were conducted or aided by insiders.

In 2012, Saudi Aramco faced a major cyberattack involving the Shamoon malware, which wiped data from approximately 30,000 computers. The attackers likely leveraged insider access or assistance, enabling them to infiltrate the company's network. Although the malware severely disrupted business operations, it did not affect oil production.

In 2014, Pacific Gas and Electric Company (PG&E) experienced insider sabotage when an employee with internal access tampered with critical infrastructure systems. This incident underscored the vulnerability of utility companies to insider threats and the importance of stringent internal security measures.

That same year, a nuclear power plant in South Korea was targeted by hackers who leaked sensitive documents and blueprints. Investigations suggested that the attackers may have benefited from insider knowledge of the facility’s systems. While the plant’s operations were largely unaffected, the breach exposed significant security flaws and highlighted the dangers posed by insider threats within the energy sector.

Throughout 2024, there has been a raft of arrests and convictions across Europe and the US of individuals providing material support to Russia and China – as spies, collecting and then passing information to their agent handlers.

Most of those identified by police, security, and intelligence agencies were working across the West’s military-industrial complex and academic institutions, but it would be naive to believe that similar individuals are not already embedded across the energy industry.

For as long as the US and its allies remain in competition with Russia and China, acts of espionage will continue to be a threat across the spectrum of Western national interests, with embedded cells likely to be activated at the most inconvenient and damaging moments – of their choosing.

This style of threat, while physical, does have a cyber companion. Instead of people waiting to be activated, it is malware. Malware that was inserted months or years before, just waiting to be triggered.

It’s No Mirage, It’s Sabotage

Sabotage, in all its forms, continues to be a threat, particularly for an industry reliant on pipes and cables, either on the seafloor or above ground on land, to move oil, gas, and electricity.

The significant distance these routes cover makes it almost impossible for security systems to cover their entire length and ID bad actors.

The recent attacks on the Nord Stream gas pipeline running under the Baltic Sea in September 2022 by underwater demolition experts and a Chinese ship with a Russian Captain dragging its anchor to sever submerged internet cables in November 2024, also in the Baltic Sea, are good examples of the spectrum of sabotage facing the energy industry.

It is noteworthy also to consider that Russia maintains a specialist military intelligence unit, Glavnoye Upravelenie Glubokovodnykh Issledovanii (GUGI), which is trained and equipped to conduct operations at depths of up to 20,000 ft to identify then sever or breach cables and pipelines.

Consequently, sabotage can no longer be discounted as a threat that ended when the Cold War finished in the early 1990s.

However, alongside this threat, we must consider low-level sabotage from protest groups, subversives, and the radicalized who are all able to harness the power of the Internet to enable their attacks – and the hydrocarbon industry is a prime target.

Picking the Right People

The threat from insiders is frequently considered from the perspective of their ability to act as a “Trojan Horse” for a cyberattack, either sharing passwords with bad actors or delivering a cyber payload from a third-party device such as a USB memory stick or even a colleague whose poor password hygiene increases the risk of attack.

But insiders can be far more than this, embedding themselves deep into an organization and its processes, able to provide an adversary – either a commercial rival or a state-based actor, with a trove of information to be used against its target at a time or place of their choosing.

Employment practices, such as the growing reliance on contractors—many of whom sub-contract further—can heighten risks, especially when human resources oversight and vetting processes are minimal, costly, or seen as intrusive and thus scaled back to ineffective levels. These risks are further compounded when organizations lack a strong culture of encouraging employees to report suspicious behavior or fail to enforce policies that prevent lone working in sensitive areas, particularly when non-core staff or contractors are involved.

The points discussed here serve to highlight several of the most significant threats facing the energy industry in 2025, but this only provides a summary of what exists.

Understanding the threat, be that from cyber-actors or the vectors and methodologies discussed here, requires deep subject matter expertise.

As experts in our respective fields, RMI and Trustwave can help you navigate the intricacies of an increasingly complex and complicated world, enabling your activity by deconstructing these threats and advising you on credible and cost-effective mitigation measures.

RMI has extensive provenance in delivering intelligence-backed security risk management solutions and is working with partners across the globe to make their outputs and personnel more secure.

In 2024/25, RMI’s Comprehensive Security & Operational Resilience, CSOR offering has enabled maritime activity in the Arabian Sea, helped secure oil and gas infrastructure in the US and Latin America, and enabled the evacuation of employees caught up in crises in the Middle East – alongside numerous other security-related activities

Our partnership with Trustwave harnesses the best of our capabilities, providing an exceptionally broad proactive security offering.

Trustwave & RMI recommend organizations use proactive and comprehensive insider threat management strategies.

• Enhanced Vetting Processes: Strengthen background checks during the hiring process to identify potential risks.
• Continuous Monitoring: Implement continuous monitoring to detect unusual behavior or access patterns.
• Access Controls: Enforce strict access controls and the principle of least privilege to limit access to sensitive information.
• Security Training: Conduct regular security awareness training to educate employees about the risks and signs of insider threats.
• Incident Response Plans: Develop and regularly update incident response plans specifically tailored to address insider threats.
• Anonymity and Reporting: Create anonymous reporting mechanisms for employees to report suspicious activities without fear of retribution.