Cyberattacks Target Denmark’s Energy Sector, Findings Suggest State Sponsorship Unlikely
Recent analysis reveals that a series of cyberattacks on Denmark’s energy sector last year may not have involved the notorious Sandworm hacking group associated with Russian state-sponsored activity. According to new insights from Forescout, these attacks, which affected approximately 22 Danish energy organizations in May 2023, unfolded in two separate waves, each with distinct characteristics.
The first wave of attacks commenced on May 11, exploiting a critical vulnerability in Zyxel firewalls identified as CVE-2023-28771. The follow-on wave, occurring from May 22 to May 31, involved the deployment of Mirai botnet variants on compromised machines, leveraging an unknown initial access method. An examination of the network behavior during one incident on May 24 indicated that the infected system communicated with command-and-control IP addresses previously associated with the now-defunct Cyclops Blink botnet.
Forescout’s investigation has established that the two waves of attacks were not only unrelated but also suggest a broader campaign of mass exploitation targeting unpatched Zyxel devices. The second wave appeared to operate independently, exhibiting a pattern that indiscriminately attacked firewalls while periodically changing staging servers. This pattern indicates a sophisticated approach that likely aligns with various MITRE ATT&CK tactics, including initial access through exploitation of external vulnerabilities and persistence through the use of automated scripts or botnets.
Significantly, evidence suggests that these cyber intrusions may have started as early as February 16 using additional vulnerabilities such as CVE-2020-9054 and CVE-2022-30525, with activities extending into October 2023. The sustained exploitation campaign has targeted entities across Europe and the United States, further complicating any attribution attempts. Forescout emphasized that the ongoing exploitation of these vulnerabilities extends beyond Denmark’s critical infrastructure, underscoring the risks for organizations globally.
When queried about potential ties to the Sandworm group, SektorCERT indicated that while indicators of such involvement had been observed, there remains an absence of definitive evidence linking the group to these incidents. The organization reiterated the difficulty in attributing cyber attacks to specific actors unequivocally, particularly when no concrete proof implicates Russia or any other state-sponsored entity.
In conclusion, this analysis of the attacks highlights the importance of robust security measures for organizations, especially those in critical infrastructure sectors. As attackers refine their methods and exploit undeniably critical vulnerabilities, maintaining an adaptive cybersecurity posture is crucial. Owners of businesses, particularly those relying on technology, should remain vigilant, keeping software up to date and employing strategies that enhance their resilience against evolving cyber threats.
