Denmark’s Energy Sector Cyber Attacks Not Executed by Russia-Linked APT, Reveals Forescout

January 14, 2024

The cyber attacks that targeted Denmark's energy sector in 2023 were previously linked to the Russia-associated Advanced Persistent Threat (APT) group, Sandworm. However, a recent analysis by Forescout contradicts this attribution.

In May 2023, Denmark's critical infrastructure was hit by the largest cyber attack in the country's history. This attack was reported by SektorCERT, Denmark’s Computer Security Incident Response Team (CSIRT) for the critical infrastructure sectors. The attack was executed in two waves; the first on May 11, and the second on May 22.

The threat actors compromised the networks of 22 companies in the energy infrastructure sector. The initial wave of attacks resulted in immediate compromise of 11 companies. The attackers exploited zero-day vulnerabilities in Zyxel firewalls, widely used by critical infrastructure operators in Denmark.

On April 25, 2023, Zyxel disclosed a critical vulnerability (CVSS score 9.8), tracked as CVE-2023-28771, in several of their firewalls. The vulnerability was due to improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35.

An attacker could exploit this flaw by sending specially crafted packets to a vulnerable device and executing some OS commands remotely. Zyxel released security patches to address the vulnerability and urged customers to install them. The SektorCERT reported, “The vulnerability itself was exploited by sending a single specially crafted data packet to port 500 over the protocol UDP towards a vulnerable Zyxel device... The result was that the attacker could execute commands with root privileges directly on the device without authentication.”

The attackers demonstrated detailed knowledge about their targets, suggesting prior reconnaissance activity. The level of coordination required to execute such a large-scale campaign hinted at the involvement of an APT group. The initial attribution of the attacks to the Russia-linked Sandworm group was based on this premise.

However, Forescout's analysis suggests that the two waves of attacks were not connected. The second wave was likely part of a mass exploitation campaign against unpatched firewalls, not a targeted attack by Sandworm or another state-sponsored actor. Forescout's findings read, “Our evidence suggests that the two waves of attacks on Danish infrastructure reported by SektorCERT... were unrelated. It also suggests that the second wave was simply part of a mass exploitation campaign against unpatched firewalls, not part of a targeted attack by Sandworm or another state-sponsored actor.”

The analysis by Forescout also revealed that the campaign described as the “second wave” of attacks in Denmark started before, and continued after, the period reported by SektorCERT, targeting firewalls indiscriminately. The researchers detected attempts to exploit CVE-2020-9054 and CVE-2022-30525 flaw in Zyxel devices between February 16 and May 14, 2023, on the AEE, all targeting entities in the United States.

The incident underscores the importance of extensive network monitoring and a quick, coordinated response. It also highlights the challenges in distinguishing between a state-sponsored campaign aimed at disrupting critical infrastructure and crimeware mass-exploitation campaigns, especially during the incident.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.