Latest findings from Forescout suggest that the Russian-linked Sandworm hacking group may not have been involved in last year’s cyberattack on Denmark’s energy sector.
These intrusions targeted approximately 22 Danish energy organizations in May 2023 and occurred in two separate waves, one of which exploited a security vulnerability in the Zyxel firewall (CVE-2023-28771) and another subsequent wave. In the active cluster, the attacker deployed the Mirai botnet to carry out variants on infected hosts through unknown initial access vectors.
The first wave occurred on May 11 and the second wave lasts from May 22 to 31, 2023. In one such attack detected on May 24, infected systems were observed communicating with the IP address (217.57.80[.]18 and 70.62.153[.]174) was previously used as command and control (C2) for the now-dismantled Cyclops Blink botnet.
However, Forescout’s closer examination of the attack activity shows that not only are the two waves of attacks unrelated, but they are also unlikely to be the work of state-sponsored groups, as the second wave of attacks targeted unpatched Zyxel more broadly. part of a massive campaign of exploitation. Firewall. It is unclear who is behind both attacks.
“The campaign has been described as a ‘second wave’ of attacks on Denmark, which started before and continued after [the 10-day time period]targeting firewalls indiscriminately in a very similar manner, except for periodically replacing temporary servers,” the company said in a report titled “Clearing the Fog of War.”
There is evidence that attacks may have begun as early as February 16 using other known flaws in Zyxel devices (CVE-2020-9054 and CVE-2022-30525) as well as CVE-2023-28771 and continued into October 2023.The campaign selected various entities in Europe and the United States
Forescout added: “This is further evidence that the exploitation of CVE-2023-27881 is not limited to Danish critical infrastructure, but persists and targets exposed devices, some of which happen to be Zyxel firewalls protecting critical infrastructure organizations.”
