TLDR: Cyberattacks that targeted the energy sector in Denmark last year may not have been perpetrated by the Russia-linked Sandworm hacking group, according to new findings from Forescout. The attacks occurred in two waves, with the first wave taking place on May 11 and the second wave lasting from May 22 to 31. Forescout’s analysis revealed that the two waves were unrelated and were unlikely the work of a state-sponsored group. The second wave was part of a broader mass exploitation campaign against unpatched Zyxel firewalls and targeted organizations outside of Denmark. The attackers used a security flaw in Zyxel firewalls and deployed Mirai botnet variants to compromise infected hosts. The attacks may have started as early as February 16 and continued as late as October 2023, targeting entities across Europe and the U.S.
In a report titled “Clearing the Fog of War,” Forescout provides evidence that the attacks persisted using known vulnerabilities in Zyxel devices, including CVE-2020-9054, CVE-2022-30525, and CVE-2023-28771. Forescout emphasizes that the exploitation of CVE-2023-27881 is ongoing and targeting exposed devices, some of which happen to be Zyxel firewalls safeguarding critical infrastructure organizations. It remains unknown who is behind the attacks.