The cyber assaults on the Danish energy sector last year, which targeted approximately 22 organizations in May 2023, may not have been orchestrated by the Russia-linked Sandworm hacking group, according to recent findings from Forescout.
These intrusions unfolded in two separate waves. The initial wave exploited a security vulnerability in Zyxel firewall (CVE-2023-28771). Following this, a subsequent cluster of activity saw the deployment of Mirai botnet variants on infected hosts through an as-yet-unknown initial access vector.
The first wave occurred on May 11, while the second wave spanned from May 22 to May 31, 2023. Notably, Forescout’s investigation has uncovered that these two waves were unrelated. Additionally, the nature of the second wave, being part of a broader mass exploitation campaign against unpatched Zyxel firewalls, suggests it may not be the work of a state-sponsored group. The perpetrators behind these attacks remain unknown.
In a specific incident on May 24, the compromised system was observed communicating with IP addresses (217.57.80[.]18 and 70.62.153[.]174) previously associated with the dismantled Cyclops Blink botnet’s command-and-control (C2).
Forescout’s examination further reveals that the attacks may have commenced as early as February 16, utilizing other known vulnerabilities in Zyxel devices (CVE-2020-9054 and CVE-2022-30525), alongside CVE-2023-28771. The campaign persisted until October 2023, targeting entities across Europe and the U.S.
The ongoing exploitation of CVE-2023-27881 indicates a broader focus beyond Danish critical infrastructure. The attacks extended to various exposed devices, some coincidentally being Zyxel firewalls safeguarding critical infrastructure organizations.
SektorCERT, when contacted for comment, referred to its November 2023 report, emphasizing the difficulty in attributing these attacks to a specific threat actor. The report highlighted individual indicators associated with Sandworm but lacked concrete evidence to confirm or deny their involvement. The non-profit reiterated the challenge of definitively accusing Russia of participating in the attack.
