Image: Amagerværket power station in Copenhagen, Denmark. Lars Plougmann via WikiMedia Commons

Further analysis of Denmark attacks leads to warning about unpatched network gear

What happened in Denmark can also happen to you, cybersecurity researchers are warning in a new report that examines attacks against the country’s energy sector last year.

Waves of incidents in May that seemed like a highly-targeted effort by a nation-state actor — perhaps Russia’s Sandworm hacking group — might have been less connected than originally thought, according to a new report by Forescout.

The researchers say their analysis found two distinct waves against Danish energy providers, and evidence suggests they were unrelated.

The first wave seems to have “no direct link to Sandworm,” Forescout said. The researchers’ findings also suggest that “the second wave was simply part of a mass exploitation campaign against unpatched firewalls, not part of a targeted attack by Sandworm or another state-sponsored actor.”

The takeaway is that “critical infrastructure organizations across Europe should remain alert to attacks on unpatched network infrastructure devices.”

“Dismissing these events as targeted to a specific country or organization(s) can put other vulnerable organizations at risk,” Forescout says.

Denmark’s computer emergency response agency, SektorCERT, reported on the attacks in November. Nearly two dozen companies were affected, and the intrusions usually involved the abuse of products from the Taiwan-based manufacturer Zyxel, which primarily sells networking hardware.

The Forescout report also dives into the technical details of a late 2022 Ukraine incident analyzed by Mandiant nearly a year later. That attack, definitively attributed to Sandworm, caused a temporary power outage before widespread missile strikes on critical infrastructure throughout Ukraine.

Forescout’s team said the attack wasn’t “a major leap forward,” but it showed how threat actors can use “living off the land” techniques within operational technology — like the kind that controls power infrastructure — to gain a “stealth benefit.” The problem for administrators, Forescout said, is the “common lack of detection and hardening capabilities around native OT scripting functionality.”

More specifically, the 2022 attack involved “native SCADA scripting capabilities,” or industrial control code that was already in the system. By contrast, attacks like the famous BlackEnergy and Industroyer attacks on Ukraine relied on custom malware.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Joe Warminsky

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.