according tocyber securityNew research from agency Forescout suggests that the cyberattacks that took place in the Danish energy sector last year are similar to the previously widely suspected Russia-related SandwormhackerGang affiliation may not exist.
Danish Ministry of Energy Cyber Attack
In May 2023, some 22 Danish energy organizations were subjected to a cyber intrusion divided into two waves. The first wave utilized theZyxel Firewallsecurity vulnerability (CVE-2023-28771), and subsequent activity in which an attacker, through an as-yet-unknown initial access route, deployed an infected host withMirai BotnetThe variants.
The first wave of attacks occurred on May 11th, while the second wave lasted from May 22nd to 31st. In one of the attacks detected on May 24, it was discovered that the compromised system was being used with IP addresses (217.57.80[.] 18 and 70.62.153 [...] 174) that were previously used as command-and-control (C2) servers for the deconstructed Cyclops Blink botnet.
Analysis of attack activities
However, Forescout's careful analysis of the attack campaign reveals that not only are the two waves of attacks unrelated to each other, but they are likely not the work of a state-sponsored hacking organization; as the second wave of attacks is part of a broader mass exploitation campaign against the unpatched Zyxel firewall. The specific actors behind these two sets of attacks are not yet known.
In a report titled "Removing the Fog of War," the company said, "The campaign, described as a 'second wave' of attacks against Denmark, actually began before [the 10-day timeframe] and continued afterward, indiscriminately targeting firewalls in a very similar manner, with only periodic changes to transit servers."
Persistence of cyberattacks
Evidence suggests that these attacks may have begun as early as February 16, using other known vulnerabilities in Zyxel devices (CVE-2020-9054 and CVE-2022-30525), as well as CVE-2023-28771, and continued through October 2023, with activity targeting various entities in Europe and the United States.
Forescout added, "This further confirms that the exploitation of CVE-2023-27881 is not limited to attacks on Danish critical infrastructure, but is ongoing and targeting exposed devices, some of which happen to be Zyxel firewalls protecting critical infrastructure organizations."
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/cyberattacks-not-linked-to-sandworm-hacker-group.html
