This website uses cookies to ensure you get the best experience on our website. Learn more
Could the Spain and Portugal blackout have been a cyber-attack?
‘Cyber-attack’ was the phrase on many people’s minds when large parts of Spain and Portugal were recently plunged into a blackout. Authorities are investigating the root cause, with early reports suggesting a technical malfunction caused by a ‘rare atmospheric phenomenon’. However, there has been speculation (yet to be ruled out) that a cyberattack could be to blame.
The widespread power outage disrupted transportation, communications, and daily life across the Iberian Peninsula. It began with a disconnection of a key international power line, causing cascading disruptions across regional grids. The blackout, which lasted several hours in some areas, was triggered by a fault in the high-voltage transmission network operated by Red Eléctrica de España (REE).
But why did so many immediately jump to the conclusion of a cyber-attack? The suspicion around malicious activity goes to show how wary people across the globe are around cyber-attacks and the devastating impacts they could have.
Why was a cyber-attack initially suspected in the blackout in Spain and Portugal?
Early news of the attack brought to mind the Colonial Pipelines ransomware hack in 2021 on the East Coast of the USA. But both REE and Portugal’s Redes Energéticas Nacionais (REN) have ruled out malicious intrusion after reviewing SCADA logs, telemetry, and firewall records. Despite this, in the immediate aftermath, several indicators led authorities and observers to consider the possibility of a cyberattack:
- Simultaneous multi-point failures: The sudden and coordinated nature of system shutdowns across geographically dispersed substations mimicked characteristics of cyber-induced grid events, such as those seen in Ukraine in 2015 and 2016.
- Communication disruptions: The temporary collapse of mobile and internet services fed public speculation about a systemic attack, particularly since backup systems failed in some zones.
- Timing and geopolitical tension: The blackout occurred amid heightened cybersecurity alerts across Europe tied to ongoing geopolitical instability, prompting heightened vigilance.
- Digital forensics lag: Lack of immediate clarity from grid operators led to speculation filling the information vacuum before REE and ENTSO-E (European Network of Transmission System Operators for Electricity) could complete their initial diagnostics.
A cyber-attack has still not been fully ruled out by all parties, with the cause still being investigated by Spain’s National Cybersecurity Institute.
Why would hackers target a country’s energy grid?
Nation-state actors often probe or attack energy grids to gain leverage in broader conflicts. Disabling power generation or transmission can undermine civilian morale, disrupt military logistics, and signal coercive intent without immediate kinetic engagement. In the Russo-Ukrainian context, the 2015–16 attacks on Ukraine’s grid by the Sandworm group demonstrated how precision outages (tripping substations via malware like BlackEnergy) can be used as a tool of statecraft.
Financially motivated cybercriminals view energy companies (often large, highly automated, and reliant on digital controls) as lucrative ransomware targets. Encrypting SCADA backups or operator workstations can halt operations swiftly, pressuring victims to pay ransoms to restore power. Groups like BlackCat/ALPHV and LockBit 3.0 have increasingly targeted energy and critical-infrastructure firms.
Beyond immediate disruption, adversaries can also use grid intrusions to map control-system architectures, harvest proprietary process data, and develop bespoke malware. The Chinese group RedEcho have been accused of infiltrating India’s power grids in recent years.
What are the signs of a cyber-attack on a power grid?
Grid operators and security teams look for a constellation of anomalies in both IT (office networks) and OT (operational/SCADA) environments when assessing a potential intrusion. Typical warning indicators include:
- Unexplained network reconnaissance
- Sudden port-scanning or probing of ICS/SCADA protocols (e.g., IEC 60870-5-104, DNP3) from external IPs or unusual internal segments.
- Early “test-run” malware deployments on non-critical assets to validate access before a full attack.
- Unauthorized access and credential abuse
- Repeated failed or anomalous log-ins to RTUs or HMIs outside normal maintenance windows.
- Usage of service accounts or credentials that have never before accessed grid-control systems.
- Anomalous ICS command sequences
- Remote trip or bypass commands issued to breakers or protection relays without a corresponding valid alarm or sensor trigger.
- Rapid toggling of circuit breakers or reclosers in patterns not matching grid-operator actions.
- Data-integrity discrepancies
- Mismatches between real-time sensor measurements and what SCADA logs record (e.g., frequency or voltage constantly reported at nominal values, despite clear swings on physical buses).
- GPS/time-stamp mismatches that suggest log tampering or “time-shifting” of events.
- Malware artifacts and file-system changes
- Discovery of known ICS-specific malware frameworks (e.g., Industroyer/CrashOverride) or related backdoors on control-system hosts.
- New executables, altered firmware images, or unexpected services running on PLCs/RTUs.
- Disruption of monitoring and alerting
- Loss or corruption of event logs in both IT and OT environments (e.g., missing log files or overwritten audit trails).
- Failure of redundant communication channels (e.g., satellite or out-of-band links) coinciding suspiciously with primary link outages.
- Coordinated multi-vector anomalies
- Simultaneous disruptions in power and ICT (telecom networks, NMS servers) that outpace what one physical fault could explain.
- Evidence of a “kill chain” progressing from IT compromise (e.g., phishing, workstation infection) into the OT domain.
Could weak passwords play a role in power grid attacks?
Weak or default passwords are one of the simplest and most common footholds an attacker can use to break into both IT and OT (SCADA/ICS) environments in a power-grid operator. Here’s how they could factor into a potential grid compromise:
- Initial remote-access breach
- Many utilities expose VPNs, RDP gateways or web-based management panels for remote monitoring and maintenance. If these are protected by weak, guessable, or unchanged default credentials, an attacker can simply brute-force or credential-stuff their way in. The risk is multiplied if effective MFA isn’t being enforced.
- Lateral movement
- Once inside the corporate LAN, attackers look for “stepping-stone” accounts to jump into the operational zone. If service accounts or HMI/PLC administrator log-ins still use weak passwords, the compromise propagates rapidly.
- Credential theft and reuse
- Even if the grid network itself is well segmented, users often reuse passwords across office and control-system VPNs. Phishing or key-logging against an engineer’s corporate mailbox can yield credentials that work unchanged on OT gateways. In Ukraine’s 2015 blackout, attackers first harvested legitimate account credentials before issuing destructive commands to breakers.
Cyber-attack or cautionary tale?
Ultimately, the Iberian blackout served as a powerful reminder of the potential risks of infrastructure being targeted by a cyber-attack. In the midst of a sudden grid collapse, it was all too easy to leap to the cyber-attack hypothesis, fueled by recent headlines and geopolitical anxiety. Even if the true cause was natural phenomena as the current evidence points to, the very real threat of a targeted intrusion demands vigilance.
Operators must treat every incident as an opportunity to harden their defenses, from enforcing airtight password policies and multifactor authentication to rigorous network segmentation and 24/7 anomaly monitoring. If nothing else, this episode underscores that preparation (not panic) is the best antidote to both technical failures and malicious assaults.
What actions could you take right now? Why not rid your Active Directory of weak and compromised passwords.
Audit your Active Directory for password vulnerabilities
Find how many of your end users’ passwords are either compromised or identical with a read-only scan of your Active Directory from Specops Password Auditor. You’ll get a free customizable report on password-related vulnerabilities, including weak policies, breached passwords, and stale/inactive accounts. Download your free auditing tool here.
(Last updated on April 29, 2025)
Related Articles
-
“Biggest leak of its kind” added to Specops Breached Password Protection
STOCKHOLM – Today, Specops Software announced the addition of the latest HaveIBeenPwned (HIBP) password list update, v7, to its Breached Password Protection database. Over 226 million passwords from over 23,000 hacked databases are in HIBP v7, a collection of databases attributed to the now defunct data breach index site, Cit0Day. “This Cit0Day password set really…
Read More -
HIBP adds 284M malware-stolen accounts: Takeaways on Telegram & infostealers
Leaked credentials are in high demand on underground marketplaces. A database of stolen credentials is a like a giant box of keys to a hacker. With the use of the right software, they can rapidly try these keys against user accounts in the hope that one fits and they gain unauthorized access to an organization….
Read More -
Credential-based attacks: Key types, how they work, and defense strategies
Credential-based attacks remain a significant threat to organizations of all sizes. According to the Verizon Data Breach Investigations Report (DBIR), lost or stolen credentials are the most common way for cybercriminals to gain initial access to systems. Google Cloud said systems with weak or no credentials were the top initial access vector, accounting for 47%…
Read More