Russian state-sponsored APT actor Sandworm might have not been involved in last year's massive attack campaign against Denmark's critical infrastructure, cybersecurity firm Forescout says.
The assaults occurred in May 2023 and resulted in the compromise of 22 Danish energy organizations, non-profit cybersecurity center for critical sectors SektorCERT revealed in a November 2023 report.
As part of the campaign, within several days, the victim organizations were compromised via multiple vulnerabilities in Zyxel firewalls, including CVE-2023-28771, CVE-2023-33009, and CVE-2023-33010, three bugs that were disclosed and patched around the same time that the attacks occurred.
In its report, which provides a timeline of the attacks, SektorCERT noted that Sandworm, which is linked to Russia's GRU military spy agency, was involved in at least one incident.
No Russian APT had previously shown interest in the Danish critical infrastructure.
On Thursday, Forescout published its own analysis of the attacks, which occurred in two waves, a couple of weeks apart, concluding that Sandworm might have never been involved in the malicious campaign.
Instead, the cybersecurity firm says, the attacks appear to have been part of a massive infection campaign that might have not been targeted at the country's critical infrastructure.
The second wave of attacks, which started on May 22, might have been orchestrated by different attackers, the cybersecurity firm notes.
These attacks might have been part of a mass-exploitation campaign targeting Zyxel devices, in which many firewalls were infected with a Mirai botnet.
In November, SektorCERT said that CVE-2023-33009 and CVE-2023-33010, two Zyxel firewall bugs disclosed on May 24, were exploited as part of the second wave, but Forescout believes that this might not have been the case, and that targets compromised during the first wave likely went unnoticed.
According to the cybersecurity firm, all the activity targeting Zyxel firewalls that it observed around the time frame involved the exploitation of CVE-2023-28771, and the attacks on Denmark's critical infrastructure appear to have been no different.
Overall, Forescout says, the first and second wave of attacks do not appear to be connected and the second wave shows evidence of crimeware botnet-building rather than state-attributed campaigns, catching the Danish energy sector in its net, but not targeting it specifically.
The cybersecurity firm points out that there are over 40,000 internet-accessible Zyxel firewalls worldwide, including many that safeguard critical infrastructure organizations, representing a broad attack surface prone to indiscriminate malicious attacks, such as those exploiting CVE-2023-27881.
This Cyber News was published on www.securityweek.com. Publication date: Fri, 12 Jan 2024 12:43:04 +0000