Sandworm Not All to Blame: Forescout Research Uncovers New Evidence Tied to Energy Sector Cyberattacks in Denmark

|

|

Last update:

SAN JOSE, Calif.–(BUSINESS WIRE)–Forescout, a global cybersecurity leader, today unveiled “Clearing the Fog of War,” a report that introduces fresh evidence regarding two previously documented attacks that affected the Danish energy sector in May 2023.




Forescout Research – Vedere Labs conducted an independent analysis of these attacks and discovered a larger campaign that could not be fully attributed to the Advanced Persistent Threat (APT) group, Sandworm, along with other findings that the Danish CERT, SektorCERT, did not publish in its November 2023 report.

In its Adversary Engagement Environment (AEE) observations, Vedere Labs identified two significant findings:

  • Sandworm is not the common threat actor: Forescout researchers detailed a different technique for targeting the critical infrastructure in the second wave than the one used in the first attack wave. This suggests that Sandworm cannot be pointed to as the APT group associated with both waves of attacks.
  • Copycat adopted mass exploit: The second wave of attacks took advantage of unpatched firewalls using a newly “popular” CVE-2023-27881 and additional IP addresses that went unreported in the SektorCERT report. Evidence suggests the second wave was part of a separate mass exploitation campaign.

“Distinguishing between a state-sponsored campaign aimed at disrupting critical infrastructure and a crimewave of mass exploitation campaigns, while also accounting for potential overlaps between the two, is more manageable in hindsight than in the heat of the moment,” notes Elisa Costante, VP of Research at Forescout Research – Vedere Labs. “This report underscores the significance of contextualizing observed events with comprehensive threat and vulnerability intelligence to improve OT network monitoring and enhance incident response plans.”

Read the blog: Clearing the Fog of War – A critical analysis of recent energy sector cyberattacks in Denmark and Ukraine

After the second incident, further attacks targeted exposed devices within critical infrastructure worldwide in the ensuing months. Forescout researchers detected numerous IP addresses attempting to exploit the Zyxel vulnerability CVE-2023-28771, persisting as late as October 2023, across various devices, including additional Zyxel firewalls. Presently, six distinct power companies in European countries utilize Zyxel firewalls and may remain susceptible to potential exploitation by malicious actors.

This recent evidence underscores the imperative for energy firms and organizations overseeing critical infrastructure to place a greater emphasis on utilizing current threat intelligence, including information on malicious IPs and known exploited vulnerabilities. Governments are increasingly taking proactive measures by allocating funding to initiatives aimed at fortifying the security posture of critical infrastructure within the energy sector. Notably, the U.S. Department of Energy recently announced a new funding initiative, earmarking $70 million for this purpose just last week.

Forescout Research conducted this analysis utilizing its AEE, which encompasses both real and simulated connected devices. This environment serves as a comprehensive tool for pinpointing incidents and discerning threat actor patterns at a granular level. The goal is to enhance responses to intricate critical infrastructure attacks through detailed insights and understanding gained from this specialized testing environment.

For more information, download the full report, “Clearing the Fog of War.”

About Forescout

Forescout Technologies, Inc., a global cybersecurity leader, continuously identifies, protects and helps ensure the compliance of all managed and unmanaged connected cyber assets – IT, IoT, IoMT and OT. For more than 20 years, Fortune 100 organizations and government agencies have trusted Forescout to provide vendor-agnostic, automated cybersecurity at scale. The Forescout® Platform delivers comprehensive capabilities for network security, risk and exposure management, and extended detection and response. With seamless context sharing and workflow orchestration via ecosystem partners, it enables customers to more effectively manage cyber risk and mitigate threats.

Contacts

Media Contacts
Steve Bosk

W2 Communications for Forescout

[email protected]

Carmen Harris

[email protected]

Topics:

Follow us:

Business Wire

Business Wire, a Berkshire Hathaway company, is the global leader in press release distribution and regulatory disclosure. Public relations, investor relations, public policy and marketing professionals rely on Business Wire for secure and accurate distribution of market-moving news and multimedia. Founded in 1961, Business Wire is a trusted source for news organizations, journalists, investment professionals and regulatory authorities, delivering news directly into editorial systems and leading online news sources via its multi-patented NX network. Business Wire’s global newsrooms are available to meet the needs of communications professionals and news media worldwide.

Partner eventsMore events

Current Month

06dec5:15 pm7:00 pmLe Wagon Demo DayDiscover the students' final projects

12dec4:00 pm9:30 pmAI in ActionPractical Insights for Digital Transformation

28jan4:00 pm10:00 pmUnlocking operational efficiency with AIInsights for your future

Share to...