New findings pose a challenge for attributing cyber attacks in the Danish energy sector

Denmark's Energy Sector Cyberattacks

Cyberattacks targeting Denmark’s energy sector last year may not have included the involvement of the Russia-linked Sandworm hacking group. new findings from the Forescout show.

The intrusions, which targeted approximately 22 Danish energy organizations in May 2023, occurred in two distinct waves: one that exploited a security flaw in the Zyxel firewall (CVE-2023-28771) and a follow-up activity cluster in which the attackers Deploy Mirai botnet. variants on infected hosts via an as yet unknown initial entry vector.

The first wave took place on May 11, while the second wave lasted from May 22 to May 31, 2023. In one such attack detected on May 24, the compromised system was observed communicating with IP addresses (217.57.80[.]18 and 70.62.153[.]174) that were previously used as command-and-control (C2) for the now decommissioned Cyclops Blink botnet.

Cyber ​​attacks in Denmark's energy sector

However, further investigation by Forescout of the attack campaign found that not only were the two waves unrelated, but also that the work of the state-sponsored group was unlikely, due to the fact that the second wave was part of a broader massive exploitation campaign against unpatched Zyxel. firewalls. It is currently unknown who is behind the double attacks.

“The campaign described as the ‘second wave’ of attacks on Denmark started before and continued afterwards [the 10-day time period]addressing firewalls indiscriminately in a very similar manner, only periodically changing staging servers,” the company said in a report aptly titled “Clearing the Fog of War.”

There are indications that the attacks started as early as February 16 using other known Zyxel device flaws (CVE-2020-9054 and CVE-2022-30525) in addition to CVE-2023-28771, and continued until October 2023. where the activity focuses on various entities in Europe and the US

“This is further evidence that exploitation of CVE-2023-27881, rather than being limited to Danish critical infrastructure, is ongoing and targeting exposed devices, some of which happen to be Zyxel firewalls protecting critical infrastructure organizations” , Forescout added.


#findings #pose #challenge #attributing #cyber #attacks #Danish #energy #sector

Notify of
Inline Feedbacks
View all comments
Previous Post
Atomic Stealer

Atomic Stealer is getting an upgrade

Next Post
Juniper Vulnerability

Critical RCE vulnerability discovered in Juniper SRX firewalls and EX switches

Related Posts