SAN JOSE, Calif., January 11, 2024 – Forescout, today unveiled “Clearing the Fog of War,” a report that introduces fresh evidence regarding two previously documented attacks that affected the Danish energy sector in May 2023.
Forescout Research – Vedere Labs conducted an independent analysis of these attacks and discovered a larger campaign that could not be fully attributed to the Advanced Persistent Threat (APT) group, Sandworm, along with other findings that the Danish CERT, SektorCERT, did not publish in its November 2023 report.
In its Adversary Engagement Environment (AEE) observations, Vedere Labs’ identified two significant findings:
- Sandworm is not the common threat actor: Forescout researchers detailed a different technique for targeting the critical infrastructure in the second wave than the one used in the first attack wave. This suggests that Sandworm cannot be pointed to as the APT group associated with both waves of attacks.
- Copycat adopted mass exploit: The second wave of attacks took advantage of unpatched firewalls using a newly “popular” CVE-2023-27881 and additional IP addresses that went unreported in the SektorCERT report. Evidence suggests the second wave was part of a separate mass exploitation campaign.
“Distinguishing between a state-sponsored campaign aimed at disrupting critical infrastructure and a crimewave of mass-exploitation campaigns, while also accounting for potential overlaps between the two, is more manageable in hindsight than in the heat of the moment,” notes Elisa Costante, VP of Research at Forescout Research – Vedere Labs. “This report underscores the significance of contextualizing observed events with comprehensive threat and vulnerability intelligence to improve OT network monitoring and enhance incident response plans.”
Clearing the Fog of War – A critical analysis of recent energy sector cyberattacks in Denmark and Ukraine – Read blog
After the second incident, further attacks targeted exposed devices within critical infrastructure worldwide in the ensuing months. Forescout researchers detected numerous IP addresses attempting to exploit the Zyxel vulnerability CVE-2023-28771, persisting as late as October 2023, across various devices, including additional Zyxel firewalls. Presently, six distinct power companies in European countries utilize Zyxel firewalls and may remain susceptible to potential exploitation by malicious actors.
This recent evidence underscores the imperative for energy firms and organizations overseeing critical infrastructure to place a greater emphasis on utilizing current threat intelligence, including information on malicious IPs and known exploited vulnerabilities. Governments are increasingly taking proactive measures by allocating funding to initiatives aimed at fortifying the security posture of critical infrastructure within the energy sector. Notably, the U.S. Department of Energy recently announced a new funding initiative, earmarking $70 million for this purpose just last week.
Forescout Research conducted this analysis utilizing its AEE, which encompasses both real and simulated connected devices. This environment serves as a comprehensive tool for pinpointing incidents and discerning threat actor patterns at a granular level. The goal is to enhance responses to intricate critical infrastructure attacks through detailed insights and understanding gained from this specialized testing environment.
For more information, download the full report, “Clearing the Fog of War” – Download report
You can see all the information here.