Iberian Blackout Mystery & Dual Cyber Incidents Spotlight Grid Cyber Risks

While the root cause of the recent Iberian blackout remains under investigation (https://www.linkedin.com/posts/david-rotenberg_%F0%9D%97%A0%F0%9D%97%AE%F0%9D%98%80%F0%9D%98%80%F0%9D%97%B6%F0%9D%98%83%F0%9D%97%B2-%F0%9D%97%9C%F0%9D%97%AF%F0%9D%97%B2%F0%9D%97%BF%F0%9D%97%B6%F0%9D%97%AE%F0%9D%97%BB-%F0%9D%97%A3%F0%9D%97%BC%F0%9D%98%84%F0%9D%97%B2%F0%9D%97%BF-activity-7322628842127273986-Or2V?utm_source=share&utm_medium=member_desktop&rcm=ACoAAADo2i8B14HtCdHPyNblxDxLg-Ir_qTzAdo), two fresh cyber-incidents in the energy sector underscore the constant digital threats utilities face. On April 25, Emera Inc. and Nova Scotia Power detected unauthorized access into their IT network—forcing customer portals and phone lines offline and resulting in the theft of some personal data—before isolating affected servers and mobilizing law enforcement and third-party experts. Meanwhile, the “Power Parasites” campaign has leveraged over 150 phishing domains, deceptive “invite code” logins, and multilingual lures—promoted via YouTube and Telegram—to impersonate major energy brands and harvest data or money from victims across Asia and beyond. Together, these events highlight why smart grids must be engineered for both operational robustness and cyber-physical security.

1. Emera & Nova Scotia Power: Unauthorized Access and Data Theft

Timeline & Response

• April 25, 2025: Emera Inc. and Nova Scotia Power discovered unauthorized external access into segments of their Canadian network and business-application servers.
• Immediate Actions: Impacted servers—supporting customer-care phone lines and the MyAccount portal—were shut down and isolated. Incident-response and business-continuity protocols were activated, and leading cybersecurity firms were engaged. Law enforcement agencies were notified to investigate potential criminal activity.
• Operational Impact: No disruption occurred to physical generation, transmission, or distribution systems, thanks to air-gapped OT networks. However, customer-facing functions saw degraded service, with increased call-center wait times and portal outages.
• Data Compromise: Ongoing investigations confirmed that hackers exfiltrated “certain customer personal information,” prompting notifications and warnings for customers to watch for phishing attempts.

Tactics, Techniques & Attribution

• Unknown Malware/Tools: No ransomware group has claimed responsibility, and it remains unclear whether specialized malware (e.g., LockNet) or credential-theft methods were used.
• Segmentation Prevented OT Impact: Strong network segmentation appears to have confined the breach to IT systems, ensuring continuity of physical operations.
• Regulatory Scrutiny: The incident has attracted regulatory attention, with potential follow-on audits of cyber controls and customer-data protections expected in Nova Scotia and at the Canadian federal level.

2. “Power Parasites”: Sophisticated Scam Campaign Targeting Energy Brands

Scope & Infrastructure

• Active Since 2024: Silent Push analysts traced “Power Parasites” through 150+ domains in 2024–2025, spoofing energy giants like Siemens Energy, EDF Energy, Repsol S.A., and Suncor Energy.
• Phishing Templates & Invite Codes: Campaigns leveraged uniform HTML templates and “Invite code” fields to gate victims into low-grade investment or fake-job workflows—hindering passive monitoring by defenders.
• Multilingual Reach: Sites featured English, Spanish/Portuguese, Arabic, Bangla, and Bahasa, and were promoted via Telegram channels and YouTube videos with titles like “Earn free money from new sites”.

Victim Impact & Techniques

• Data Harvesting: Fraudulent “employment agreements” requested banking details, passports, birth certificates, and void checks under the pretext of formal onboarding.
• AI-Powered Impersonation: Some lures employed AI-generated executive-team imagery and deep-fake voices to bolster legitimacy, per Repsol’s fraud alert.
• Supply-Chain of Scam Domains: Silent Push documented rapid pivots across domains like sem-energy[.]net, se-renewables[.]info, and amd-biz[.]mom—using shared hosting fingerprints to propagate the campaign.

These incidents—ranging from data-theft intrusions to elaborate global phishing rings—underscore the imperative for energy operators to adopt a holistic cyber-physical resilience posture. As official investigations into the Iberian blackout progress, these lessons from Emera/Nova Scotia Power and the Power Parasites campaign should inform every grid-modernization and security roadmap. We will continue to share developments as new intelligence emerges.

‍