Russian state-sponsored APT actor Sandworm might have not been involved in last year’s massive attack campaign against Denmark’s critical infrastructure, cybersecurity firm Forescout says.
The assaults occurred in May 2023 and resulted in the compromise of 22 Danish energy organizations, non-profit cybersecurity center for critical sectors SektorCERT revealed in a November 2023 report.
As part of the campaign, within several days, the victim organizations were compromised via multiple vulnerabilities in Zyxel firewalls, including CVE-2023-28771, CVE-2023-33009, and CVE-2023-33010, three bugs that were disclosed and patched around the same time that the attacks occurred.
In its report, which provides a timeline of the attacks, SektorCERT noted that Sandworm, which is linked to Russia’s GRU military spy agency, was involved in at least one incident. No Russian APT had previously shown interest in the Danish critical infrastructure.
On Thursday, Forescout published its own analysis of the attacks, which occurred in two waves, a couple of weeks apart, concluding that Sandworm might have never been involved in the malicious campaign.
Instead, the cybersecurity firm says, the attacks appear to have been part of a massive infection campaign that might have not been targeted at the country’s critical infrastructure.
As part of the first wave of attacks, which started on May 11, CVE-2023-28771 was exploited two weeks after public disclosure and one week before proof-of-concept (PoC) exploit code was published, “which suggests a potentially targeted attack,” even if Denmark houses roughly 700 of the Zyxel firewalls that appear in web searches, Forescout notes.
The second wave of attacks, which started on May 22, might have been orchestrated by different attackers, the cybersecurity firm notes. In fact, these attacks might have been part of a mass-exploitation campaign targeting Zyxel devices, in which many firewalls were infected with a Mirai botnet.
“Evidence points to the second wave of attacks on Danish organizations being part of a larger campaign of indiscriminate botnet exploitation using a newly ‘popular’ CVE, rather than a targeted attack or something related to the first wave, which had used payloads specific to Zyxel,” Forescout notes.
In November, SektorCERT said that CVE-2023-33009 and CVE-2023-33010, two Zyxel firewall bugs disclosed on May 24, were exploited as part of the second wave, but Forescout believes that this might not have been the case, and that targets compromised during the first wave likely went unnoticed.
“The second attack wave started only days after the Metasploit module for CVE-2023-28771 was made public, an event which has led to mass exploitation by Mirai-based botnets. Alternatively, the second wave targets could have been compromised previously, for instance during the first wave, gone unnoticed, with access handed over to Mirai botnet operators,” Forescout says.
According to the cybersecurity firm, all the activity targeting Zyxel firewalls that it observed around the time frame involved the exploitation of CVE-2023-28771, and the attacks on Denmark’s critical infrastructure appear to have been no different.
Overall, Forescout says, the first and second wave of attacks do not appear to be connected and the second wave shows evidence of crimeware botnet-building rather than state-attributed campaigns, catching the Danish energy sector in its net, but not targeting it specifically.
“The first wave is less clear and more sophisticated than the second. Attackers had to create their own exploit and show more constrained behavior. As such, a specific focus on critical infrastructure cannot be ruled out. But there seems to be no direct link to Sandworm,” Forescout notes.
The cybersecurity firm points out that there are over 40,000 internet-accessible Zyxel firewalls worldwide, including many that safeguard critical infrastructure organizations, representing a broad attack surface prone to indiscriminate malicious attacks, such as those exploiting CVE-2023-27881.
“Whether the operator behind a botnet is state-affiliated or not, once initial access to networking infrastructure is obtained, the threat actor may choose to move further within the network and potentially reach the ‘crown jewels,’ such as sensitive information or operational technology,” Forescout says.