Daily Maverick
Dailymaverick logo

World

World, Op-eds

Unravelling the Iberian power crisis: Was the blackout a test of cyberwarfare?

Unravelling the Iberian power crisis: Was the blackout a test of cyberwarfare?
Paula Cristina Roque
By Paula Cristina Roque
9 May 2025
Facebook
0
So what actually happened? We don’t know. However, several clues suggest a complex situation: a cyberattack possibly preceded by misinformation, disinformation, and malinformation campaigns. Dutch intelligence reports from days before (22 April 2025) indicate the risk of growing attacks from Russia aimed at destabilising European society. This could have been a trial run to assess vulnerabilities in European critical infrastructure, potentially preparing for a larger attack.

For South Africans, Angolans, Nigerians and several other energy-producing countries that suffer mass power failures and load shedding, the 11 hours of blackout on 28 April 2025 in Portugal and Spain produced an overreaction of breaking news and panic. At 11.33pm nearly 60 million people in the Iberian Peninsula and parts of southern France lost power.

The government closed petrol stations to the public, allowing only critical services to refuel, the airports shut, stores began running out of supplies while customers fought over toilet paper and bottles of water, within two hours camping gas and generators were sold out, while public schools closed and sent students home. 

Parents could not reach their children as networks and Wi-Fi services were not operating. People were stuck in metros, elevators and underground parking garages for hours. It truly was a harrowing experience and had it not been for news from the radio the panic could have escalated further. As a South African, this seemed to me as a complete exaggeration, but I rapidly understood that something more nefarious could be behind this. 

So what happened? 

Honestly, we don’t know. However, several clues suggest a more complex situation: a cyberattack possibly preceded by misinformation, disinformation, and malinformation campaigns. Dutch intelligence reports from days before (22 April 2025) indicate the risk of growing attacks from Russia aimed at destabilising European society. This could have been a trial run to assess vulnerabilities in European critical infrastructure, potentially preparing for a larger attack. 

Officially, the two governments are pointing to an infrastructure failure. Spanish newspaper El Mundo reported that Spain had known about the risk of a blackout since January relating this to the mass infusion of renewable energy into the grid if the levels of hydroelectric, nuclear or natural gas power generation weren’t maintained. 

On the day of the blackout 70% of the energy came from solar power, which led to the lowering of energy produced by nuclear reactors and the complete paralysis of hydroelectric and gas-generated power. Rapidly the Spanish Minster of Ecological transition, Sara Aagesen, deemed it “absurd” to blame renewable energy for the power failure, correctly claiming it to be too simplistic an explanation. 

Unforeseen grid failures


Energy experts further explained that this could have been caused by several factors, including unforeseen grid failures, underinvestment in grid storage, and peak load surges linked to climate change. Intelligence agencies are, however, investigating every possibility. 

Alternatively, reports suggest the disruption might have originated at a crucial electrical connection point between the Aragón and Catalonia regions of Spain. This zone is vital as it transmits power generated by Spanish solar and wind farms in the northeast, as well as electricity imported from France. Despite the French connection’s limited capacity (about 3% of Spain’s demand, falling short of the EU’s 10% minimum), it plays a critical role in maintaining grid stability during periods of high demand or system stress.

Then, at 12.32pm, this Aragón-Catalonia link experienced an “electrical shock”. What that means is the power flowing through those lines suddenly went haywire, spiking up and down very quickly. There are a few possible reasons for this:

  1. A safety mechanism, like a circuit breaker, might have detected the unstable power flow and automatically shut off to prevent damage.

  2. The large amount of renewable energy in that area could have created an electrical “echo” effect. Small changes in voltage, maybe from clouds or wind, could have been amplified across the system, causing widespread power fluctuations.

  3. Someone might have sent a wrong command (by mistake or cyberattack) from the Scada (control) systems, disconnecting or reducing the generation of multiple plants to shut down or reduce power from several plants.


What we do know is that this “shock” caused the power connection with France to break. This left Spain isolated at the worst possible moment, just when it needed that outside help to stabilise its power grid.

Without the French electricity, the “heartbeat” of Spain’s power grid (which should always be a steady 50 Hz) started to drop rapidly. When this frequency drops too low, the system thinks it’s about to crash and automatically shuts things down to avoid total failure. So, in just five seconds, the solar and wind farms, which are very sensitive to these frequency changes, turned off. 

This suddenly cut off a massive 15 gigawatts of power — 60% of all the electricity being generated at that time. The grid couldn’t handle this sudden loss, and it completely collapsed. The system monitoring the grid showed “0 MW” nationwide. This doesn’t mean every single power plant physically stopped, but none of them were working together at the correct frequency. Basically, for all practical purposes, the entire country went dark.

There are many variables to consider here. First, 28 April also marked the start of Lock Shields, Nato’s largest cybersecurity exercise, and the mention of Scada systems and cyberattacks in the context of this power outage is particularly noteworthy given this major cyber defense drill. 

Secondly, an hour before the blackout the ground radar systems of the air traffic control tower of Lisbon airport stopped working, and so did another operating system that determines the sequence of planes pulling out of their gates to take off. The person I spoke  to mentioned that this was similar (in so far as operating systems started to fail) to the cyberattack the Portuguese airline TAP experienced in September 2022 when pro-Russian ransomware group Ragnar Locker threatened and subsequently published a total of 581 GB of data exfiltrated from the airline, claiming to be information relating to 1.5 million of the airline’s customers. 

Disinformation campaign


An hour after the two countries went dark, WhatsApp and Telegram messages were sent from several numbers in what looked to be a disinformation campaign. Disinformation campaigns are not easily created in less than an hour and sent to numbers that should be private and protected, which probably indicates a disinformation campaign, especially with the use of bots. The two messages sent in English and then in Brazilian Portuguese simulated a CNN Portugal news piece, disseminated describing a wave of unprecedented cyberattacks on 15 European countries by Russian hackers. 

In that fake news piece, the European Commission was quoted as calling it an attack on European sovereignty, which required a response. The piece then ended by describing Russian military deployments in the northern Atlantic. Another message claimed the Portuguese military had been deployed. The objective was to obviously cause panic and overreactions. 

An activist group called Antibot4Navalny, that investigates Russian disinformation, found fake news stories claiming to be from the British paper The Independent and the public television station France24 also reporting on the Russian cyberattack. 

Social networks X, telegram, Facebook, TikTok and Instagram were inundated with similar stories in English, Spanish, Portuguese and Russian, with some of the profiles belonging to pro-Russian disinformation outfits Matrioska and Pravda. On the fake France24 story, France was placed to be “the next victim of this energy apocalypse”. This weaponised uncertainty and created instant fear that Europe was being attacked. Hours after the blackout hacktivist groups Dark Storm and NoName057(16) claimed responsibility on X. These claims remain unverified. 

Expert industrial cybersecurity company Nozomi Networks Labs believe that cyberattacks on energy grids are at increased risk given the vulnerability of these grids relying on complex digital control systems, meaning that a well-structured and coordinated attack could disrupt operations and affect the monitoring systems. Evolving technology has introduced greater complexity into the energy supply chain (smarter grids, integration of renewables, multiple providers etc) creating more interdependence across borders, but also exposing the system to greater cyber threats. It’s curious to note that on 29 April, the French foreign ministry explicitly accused Russian intelligence of repeatedly staging cyberattacks since 2021, to destabilise France. 

The risk is real and any vulnerability can be exploited. Russia has a history of cyberattacks on Ukraine’s power grid. Sadly, Ukraine has become a testing ground for Russia’s cyberweapons, and the effects on its critical infrastructure of energy, transports, health, government and defence reveal Russia’s growing dominance of cyberspace power. The first really big incident in which Russia was clearly linked to hacking Ukraine’s power grid took place way back in December 2015. 

Some sneaky hackers used this thing called the BlackEnergy Trojan to break into the power system and actually shut down substations. This caused blackouts for hundreds of thousands of people in western Ukraine. It was a huge event at the time given that it was the first confirmed cyberattack that actually caused a real power outage.

New vulnerabilities


Last year the US Federal Bureau of Investigation (FBI) alerted people to the fact that the introduction of renewable energy incentives had introduced new vulnerabilities easily exploited by cybercriminals. The European Union may need up to $1-trillion to upgrade its power grids, as reported by Reuters, to avert similar blackouts. 

Was the power outage a way to cause chaos and gauge Europe’s reaction? It certainly feels like more than just the lights going out — it could even have been a test run. One thing for sure it's a wake-up call about how vulnerable everything is and how easily things can fall apart. 

Russia actively seeks to capitalise on its influence through proxies in both cyberspace and terrestrial domains. Our analysis of these types of operations suggests a discernible connection between events across these varied domains. These interconnected events could potentially pose significant threats to European democracies and risk eroding public trust in governmental institutions.

The much-cited statement of the Irish Republican Army (IRA) to the British government in 1984 after the attempted assassination of Prime Minister Margaret Thatcher is eerily applicable here: “You (the government) have to be lucky all the time, we (the insurgents) just need to be lucky once.” 

Today the cyber insurgents just need a single opening of fragility in critical infrastructure to sow chaos, override faith in governments’ capacity to keep citizens safe, and begin a breakdown of order where an attitude of “each man for himself” tears at societal norms. 

This may seem like a Western and European problem, but it is a global problem and governments in the Global South would do well to reinforce their capacities to defend against such cyberwarfare. DM

Dr Paula Cristina Roque is the executive director of Intelwatch, an organisation that monitors the political and undemocratic use of surveillance and intelligence services in the Global South.

Categories:

Tags: