Connect with us

Hi, what are you looking for?



Russian Hackers Likely Not Involved in Attacks on Denmark’s Critical Infrastructure

Researchers find no direct link between Russian APT Sandworm and last year’s attacks on Denmark’s critical infrastructure.

Russian state-sponsored APT actor Sandworm might have not been involved in last year’s massive attack campaign against Denmark’s critical infrastructure, cybersecurity firm Forescout says.

The assaults occurred in May 2023 and resulted in the compromise of 22 Danish energy organizations, non-profit cybersecurity center for critical sectors SektorCERT revealed in a November 2023 report.

As part of the campaign, within several days, the victim organizations were compromised via multiple vulnerabilities in Zyxel firewalls, including CVE-2023-28771, CVE-2023-33009, and CVE-2023-33010, three bugs that were disclosed and patched around the same time that the attacks occurred.

In its report, which provides a timeline of the attacks, SektorCERT noted that Sandworm, which is linked to Russia’s GRU military spy agency, was involved in at least one incident. No Russian APT had previously shown interest in the Danish critical infrastructure.

On Thursday, Forescout published its own analysis of the attacks, which occurred in two waves, a couple of weeks apart, concluding that Sandworm might have never been involved in the malicious campaign.

Instead, the cybersecurity firm says, the attacks appear to have been part of a massive infection campaign that might have not been targeted at the country’s critical infrastructure.

As part of the first wave of attacks, which started on May 11, CVE-2023-28771 was exploited two weeks after public disclosure and one week before proof-of-concept (PoC) exploit code was published, “which suggests a potentially targeted attack,” even if Denmark houses roughly 700 of the Zyxel firewalls that appear in web searches, Forescout notes.

The second wave of attacks, which started on May 22, might have been orchestrated by different attackers, the cybersecurity firm notes. In fact, these attacks might have been part of a mass-exploitation campaign targeting Zyxel devices, in which many firewalls were infected with a Mirai botnet.

Advertisement. Scroll to continue reading.

“Evidence points to the second wave of attacks on Danish organizations being part of a larger campaign of indiscriminate botnet exploitation using a newly ‘popular’ CVE, rather than a targeted attack or something related to the first wave, which had used payloads specific to Zyxel,” Forescout notes.

In November, SektorCERT said that CVE-2023-33009 and CVE-2023-33010, two Zyxel firewall bugs disclosed on May 24, were exploited as part of the second wave, but Forescout believes that this might not have been the case, and that targets compromised during the first wave likely went unnoticed.

“The second attack wave started only days after the Metasploit module for CVE-2023-28771 was made public, an event which has led to mass exploitation by Mirai-based botnets. Alternatively, the second wave targets could have been compromised previously, for instance during the first wave, gone unnoticed, with access handed over to Mirai botnet operators,” Forescout says.

According to the cybersecurity firm, all the activity targeting Zyxel firewalls that it observed around the time frame involved the exploitation of CVE-2023-28771, and the attacks on Denmark’s critical infrastructure appear to have been no different.

Overall, Forescout says, the first and second wave of attacks do not appear to be connected and the second wave shows evidence of crimeware botnet-building rather than state-attributed campaigns, catching the Danish energy sector in its net, but not targeting it specifically.

“The first wave is less clear and more sophisticated than the second. Attackers had to create their own exploit and show more constrained behavior. As such, a specific focus on critical infrastructure cannot be ruled out. But there seems to be no direct link to Sandworm,” Forescout notes.

The cybersecurity firm points out that there are over 40,000 internet-accessible Zyxel firewalls worldwide, including many that safeguard critical infrastructure organizations, representing a broad attack surface prone to indiscriminate malicious attacks, such as those exploiting CVE-2023-27881.

“Whether the operator behind a botnet is state-affiliated or not, once initial access to networking infrastructure is obtained, the threat actor may choose to move further within the network and potentially reach the ‘crown jewels,’ such as sensitive information or operational technology,” Forescout says.

Related: Multiple DDoS Botnets Exploiting Recent Zyxel Vulnerability

Related: Major Security Flaws in Zyxel Firewalls, Access Points, NAS Devices

Related: CISA Says Critical Zyxel NAS Vulnerability Exploited in Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...