Further analysis of Denmark attacks leads to warning about unpatched network gear

What happened in Denmark can also happen to you, cybersecurity researchers are warning in a new report that examines attacks against the country’s energy sector last year.

Waves of incidents in May that seemed like a highly-targeted effort by a nation-state actor — perhaps Russia’s Sandworm hacking group — might have been less connected than originally thought, according to a new report by Forescout.

The researchers say their analysis found two distinct waves against Danish energy providers, and evidence suggests they were unrelated.

The first wave seems to have “no direct link to Sandworm,” Forescout said. The researchers’ findings also suggest that “the second wave was simply part of a mass exploitation campaign against unpatched firewalls, not part of a targeted attack by Sandworm or another state-sponsored actor.”

The takeaway is that “critical infrastructure organizations across Europe should remain alert to attacks on unpatched network infrastructure devices.”

“Dismissing these events as targeted to a specific country or organization(s) can put other vulnerable organizations at risk,” Forescout says.

Denmark’s computer emergency response agency, SektorCERT, reported on the attacks in November. Nearly two dozen companies were affected, and the intrusions usually involved the abuse of products from the Taiwan-based manufacturer Zyxel, which primarily sells networking hardware.

The Forescout report also dives into the technical details of a late 2022 Ukraine incident analyzed by Mandiant nearly a year later. That attack, definitively attributed to Sandworm, caused a temporary power outage before widespread missile strikes on critical infrastructure throughout Ukraine.

Forescout’s team said the attack wasn’t “a major leap forward,” but it showed how threat actors can use “living off the land” techniques within operational technology — like the kind that controls power infrastructure — to gain a “stealth benefit.” The problem for administrators, Forescout said, is the “common lack of detection and hardening capabilities around native OT scripting functionality.”

More specifically, the 2022 attack involved “native SCADA scripting capabilities,” or industrial control code that was already in the system. By contrast, attacks like the famous BlackEnergy and Industroyer attacks on Ukraine relied on custom malware.