The cyber attacks targeting the energy sector in Denmark last year may not have had the involvement of the Russia-linked Sandworm hacking group, new findings from Forescout show.
The intrusions, which targeted around 22 Danish energy organizations in May 2023, occurred in two distinct waves, one which exploited a security flaw in Zyxel firewall (CVE-2023-28771) and a follow-on activity cluster that saw the attackers deploy Mirai botnet variants on infected hosts via an as-yet-unknown initial access vector.
The first wave took place on May 11, while the second wave lasted from May 22 to 31, 2023. In one such attack detected on May 24, it was observed that the compromised system was communicating with IP addresses (217.57.80[.]18 and 70.62.153[.]174) that were previously used as command-and-control (C2) for the now-dismantled Cyclops Blink botnet.
Forescout's closer examination of the attack campaign, however, has revealed that not only were the two waves unrelated, but also unlikely the work of the state-sponsored group owing to the fact the second wave was part of a broader mass exploitation campaign against unpatched Zyxel firewalls. It's currently not known who is behind the twin sets of attacks.
"The campaign described as the 'second wave' of attacks on Denmark, started before and continued after [the 10-day time period], targeting firewalls indiscriminately in a very similar manner, only changing staging servers periodically," the company said in a report aptly titled "Clearing the Fog of War."
There is evidence to suggest that the attacks may have started as early as February 16 using other known flaws Zyxel devices (CVE-2020-9054 and CVE-2022-30525) alongside CVE-2023-28771, and persisted as late as October 2023, with the activity singling out various entities across Europe and the U.S.
"This is further evidence that exploitation of CVE-2023-27881, rather than being limited to Danish critical infrastructure, is ongoing and targeting exposed devices, some of which just happen to be Zyxel firewalls safeguarding critical infrastructure organizations," Forescout added.
When reached for comment, SektorCERT pointed to its November 2023 report, in which it noted that "whether Sandworm was involved in the attack cannot be said with certainty. Individual indicators of this have been observed, but we have no opportunity to neither confirm nor deny it."
The non-profit also reiterated that cyber attacks are difficult to attribute to a specific threat actor and that it doesn't have any concrete evidence to accuse Russia of being involved in the attack.
