The Cyber Intrusions
Forescout’s recent research offers a new perspective on last year’s cyberattacks in Denmark’s energy sector. Contrary to initial beliefs, these attacks might not link to the Russia-affiliated Sandworm hacking group.
The First Wave of Attacks
In May 2023, cyber intruders targeted around 22 Danish energy companies. The first attack, on May 11, exploited a Zyxel firewall vulnerability (CVE-2023-28771).
The Second Wave and Its Implications
From May 22 to 31, the second wave took a different approach. Attackers used unknown methods to spread Mirai botnet variants. On May 24, experts found that this attack connected to IP addresses previously used by the dismantled Cyclops Blink botnet.
The Cyber Intrusions
Forescout’s recent research offers a new perspective on last year’s cyberattacks in Denmark’s energy sector. Contrary to initial beliefs, these attacks might not link to the Russia-affiliated Sandworm hacking group.
The First Wave of Attacks
In May 2023, cyber intruders targeted around 22 Danish energy companies. The first attack, on May 11, exploited a Zyxel firewall vulnerability (CVE-2023-28771).
Latest Mirai-Based Botnet Targeting SSH Servers for Cryptomining: NoaBot(Opens in a new browser tab)
The Second Wave and Its Implications
From May 22 to 31, the second wave took a different approach. Attackers used unknown methods to spread Mirai botnet variants. On May 24, experts found that this attack connected to IP addresses previously used by the dismantled Cyclops Blink botnet.
Forescout’s In-Depth Analysis
Forescout’s investigation revealed that these two phases were independent. The second wave seemed part of a larger campaign against unpatched Zyxel firewalls, not a targeted state-sponsored attack. The identity of the attackers remains a mystery.
Clearing the Fog of War
Forescout’s report, “Clearing the Fog of War,” points out that the second wave in Denmark started earlier and lasted beyond the 10-day window. It targeted firewalls indiscriminately, changing staging servers now and then.
Broader Impact Beyond Denmark
Evidence shows these attacks possibly began as early as February 16, using different Zyxel device flaws (CVE-20525). They persisted until at least October 20, affecting entities in Europe and the U.S.
The Larger Concern
These activities suggest a wider exploitation of CVE-2023-27881. Attackers targeted exposed devices, including Zyxel firewalls used by critical infrastructure organizations, well beyond Danish borders.