New Findings Challenge Attribution in Denmark’s Energy Sector Cyberattacks

New Findings Challenge Attribution in Denmark’s Energy Sector Cyberattacks

The cyber attacks targeting the energy sector in Denmark last year may not have had the involvement of the Russia-linked Sandworm hacking group, new findings from Forescout show.

The intrusions, which targeted around 22 Danish energy organizations in May 2023, occurred in two distinct waves, one which exploited a security flaw in Zyxel firewall (CVE-2023-28771) and a follow-on activity cluster that saw the attackers deploy Mirai botnet variants on infected hosts via an as-yet-unknown initial access vector.

Denmark's Energy Sector Cyberattacks

Forescout’s closer examination of the attack campaign, however, has revealed that not only were the two waves unrelated, but also unlikely the work of the state-sponsored group owing to the fact the second wave was part of a broader mass exploitation campaign against unpatched Zyxel firewalls. It’s currently not known who is behind the twin sets of attacks.

There is evidence to suggest that the attacks may have started as early as February 16 using other known flaws Zyxel devices (CVE-2020-9054 and CVE-2022-30525) alongside CVE-2023-28771, and persisted as late as October 2023, with the activity singling out various entities across Europe and the U.S.

“This is further evidence that exploitation of CVE-2023-27881, rather than being limited to Danish critical infrastructure, is ongoing and targeting exposed devices, some of which just happen to be Zyxel firewalls safeguarding critical infrastructure organizations,” Forescout added.