Forescout Sheds New Light on Denmark’s Energy Sector Cyberattacks

The Cyber Intrusions

Forescout’s recent research offers a new perspective on last year’s cyberattacks in Denmark’s energy sector. Contrary to initial beliefs, these attacks might not link to the Russia-affiliated Sandworm hacking group.

The First Wave of Attacks

In May 2023, cyber intruders targeted around 22 Danish energy companies. The first attack, on May 11, exploited a Zyxel firewall vulnerability (CVE-2023-28771).

The Second Wave and Its Implications

From May 22 to 31, the second wave took a different approach. Attackers used unknown methods to spread Mirai botnet variants. On May 24, experts found that this attack connected to IP addresses previously used by the dismantled Cyclops Blink botnet.

Denmark's Energy Sector Cyberattacks

The Cyber Intrusions

Forescout’s recent research offers a new perspective on last year’s cyberattacks in Denmark’s energy sector. Contrary to initial beliefs, these attacks might not link to the Russia-affiliated Sandworm hacking group.

The First Wave of Attacks

In May 2023, cyber intruders targeted around 22 Danish energy companies. The first attack, on May 11, exploited a Zyxel firewall vulnerability (CVE-2023-28771).

The Second Wave and Its Implications

From May 22 to 31, the second wave took a different approach. Attackers used unknown methods to spread Mirai botnet variants. On May 24, experts found that this attack connected to IP addresses previously used by the dismantled Cyclops Blink botnet.

Forescout’s In-Depth Analysis

Forescout’s investigation revealed that these two phases were independent. The second wave seemed part of a larger campaign against unpatched Zyxel firewalls, not a targeted state-sponsored attack. The identity of the attackers remains a mystery.

Clearing the Fog of War

Forescout’s report, “Clearing the Fog of War,” points out that the second wave in Denmark started earlier and lasted beyond the 10-day window. It targeted firewalls indiscriminately, changing staging servers now and then.

Broader Impact Beyond Denmark

Evidence shows these attacks possibly began as early as February 16, using different Zyxel device flaws (CVE-20525). They persisted until at least October 20, affecting entities in Europe and the U.S.

The Larger Concern

These activities suggest a wider exploitation of CVE-2023-27881. Attackers targeted exposed devices, including Zyxel firewalls used by critical infrastructure organizations, well beyond Danish borders.

 

This post was originally published on this site

Lean More About DoD Cybersecurity, Cyber Threats and Related Contents