When cyberattacks hit critical infrastructure, the consequences can extend far beyond IT systems. That’s the concern raised this week after hackers claimed to have breached a US-based engineering firm and stolen detailed operational data linked to major American utilities.
The alleged incident underscores a growing trend: cybercriminals are no longer just chasing personal data or ransomware payouts—they’re increasingly targeting the digital backbone of energy and infrastructure systems.
What Happened?
According to posts on a dark web forum, attackers claim they have hacked Pickett and Associates, a Florida-based civil engineering, surveying, and geospatial services firm. The hackers say they exfiltrated more than 800 sensitive files connected to active utility projects.
The stolen data is being advertised as “real, operational engineering data” suitable for infrastructure analysis and risk assessment—language that has alarmed cybersecurity observers.
Pickett and Associates works with investor-owned utilities, municipalities, electric cooperatives, and mining operations across the US and the Caribbean, providing services such as transmission design, aerial mapping, LiDAR surveying, and project management.
Which Utilities Are Allegedly Affected?
While the full list of impacted clients hasn’t been confirmed, the attackers claim the data includes files connected to three major US utilities:
- Tampa Electric Company
- Duke Energy Florida
- American Electric Power (AEP)
Duke Energy acknowledged the claim in a statement to The Register, saying it is actively investigating the matter and emphasizing its ongoing cybersecurity efforts. Pickett and Associates has declined to comment publicly.
What Kind of Data Is for Sale?
The hackers are reportedly offering the stolen database for 6.5 bitcoin—roughly $600,000 at current prices.
The files allegedly include:
- Raw LiDAR point cloud files (.las)
- Detailed transmission line and substation corridor maps
- High-resolution aerial imagery (.ecw)
- Engineering design files (MicroStation formats)
- Vegetation and terrain datasets (.xyz)
If authentic, this type of data could provide highly detailed insight into physical infrastructure layouts—raising concerns about potential misuse.
Why This Matters Beyond One Company
This incident highlights a broader cybersecurity issue: engineering firms and third-party contractors are increasingly attractive targets. While utilities often invest heavily in cyber defense, attackers may find it easier to breach partners that hold equally sensitive data.
It also reflects a worrying shift in cybercrime strategy. Rather than ransomware alone, threat actors are now monetizing stolen infrastructure intelligence—information that could theoretically be used for espionage, disruption, or sabotage.
The same hackers are reportedly selling data linked to Germany’s Enerparc AG, suggesting a broader focus on energy and critical infrastructure organizations worldwide.
The Bigger Trend: Infrastructure in the Crosshairs
As power grids, mapping systems, and engineering workflows become more digitized, the line between cyber risk and physical risk continues to blur. LiDAR data, GIS files, and design schematics are invaluable for efficiency—but also for attackers with the wrong intentions.
Security experts increasingly warn that protecting critical infrastructure isn’t just about utilities themselves—it requires securing the entire ecosystem of vendors, consultants, and service providers.
What Happens Next?
For now, the claims remain under investigation. But whether or not every detail proves accurate, the episode serves as another reminder that infrastructure cybersecurity is only as strong as its weakest link.
As attackers target the hidden digital layers behind physical systems, are regulators and companies moving fast enough to protect the data that keeps the lights on?
