Forescout has recently revealed new insights in its report titled “Clearing the Fog of War“, shedding light on cyberattacks that targeted the Danish energy sector in May 2023. This analysis, conducted by Forescout Research – Vedere Labs, challenges the previously held belief that the Advanced Persistent Threat (APT) group, Sandworm, was solely responsible for these attacks.
The independent study by Vedere Labs has uncovered a broader campaign associated with these attacks, which extends beyond the activities attributed to Sandworm. This new information was not included in the initial report released by the Danish CERT, SektorCERT, in November 2023.
Key findings from the Adversary Engagement Environment (AEE) observations by Vedere Labs include:
Sandworm Not Sole Actor: The research indicates a different methodology was employed in the second wave of attacks compared to the first, suggesting that Sandworm may not be the only APT group involved.
Copycat Exploitation: The second wave of attacks exploited unpatched firewalls, leveraging a recently popularised vulnerability (CVE-2023-27881) and additional IP addresses that were not reported in the SektorCERT report. This points to a separate mass exploitation campaign.
“Distinguishing between a state-sponsored campaign aimed at disrupting critical infrastructure and a crimewave of mass exploitation campaigns, while also accounting for potential overlaps between the two, is more manageable in hindsight than in the heat of the moment,” notes Elisa Costante, VP of Research at Forescout Research – Vedere Labs. “This report underscores the significance of contextualising observed events with comprehensive threat and vulnerability intelligence to improve OT network monitoring and enhance incident response plans.”
Further investigations revealed that after the second incident, additional attacks were launched globally, targeting exposed devices within critical infrastructure. Forescout researchers observed numerous attempts to exploit the Zyxel vulnerability CVE-2023-28771, persisting up to October 2023, across a range of devices, including Zyxel firewalls. Currently, six European power companies using Zyxel firewalls are potentially at risk of exploitation.
This recent evidence stresses the need for energy companies and critical infrastructure managers to utilise up-to-date threat intelligence, including data on malicious IPs and known exploited vulnerabilities. In response to growing threats, governments are proactively funding initiatives to strengthen the security of critical infrastructure in the energy sector. For instance, the US Department of Energy announced a $70 million funding initiative for this purpose just last week.
Forescout’s analysis was conducted using its AEE, which comprises real and simulated connected devices. This unique environment allows for detailed incident tracking and pattern recognition of threat actors, aiming to enhance response to complex attacks on critical infrastructure through in-depth insights gained from this specialised testing setup.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.