Further analysis of Denmark attacks leads to warning about unpatched network gear

Siva Ramakrishnan
What happened in Denmark can also happen to you, cybersecurity researchers are warning in a new report that examines attacks against the country’s energy sector last year.

What happened in Denmark can also happen to you, cybersecurity researchers are warning in a new report that examines attacks against the country’s energy sector last year.

Waves of incidents in May that seemed like a highly-targeted effort by a nation-state actor — perhaps Russia’s Sandworm hacking group — might have been less connected than originally thought, according to a new report by Forescout.

The researchers say their analysis found two distinct waves against Danish energy providers, and evidence suggests they were unrelated.

The first wave seems to have “no direct link to Sandworm,” Forescout said. The researchers’ findings also suggest that “the second wave was simply part of a mass exploitation campaign against unpatched firewalls, not part of a targeted attack by Sandworm or another state-sponsored actor.”

The takeaway is that “critical infrastructure organizations across Europe should remain alert to attacks on unpatched network infrastructure devices.”

“Dismissing these events as targeted to a specific country or organization(s) can put other vulnerable organizations at risk,” Forescout says.

Denmark’s computer emergency response agency, SektorCERT, reported on the attacks in November. Nearly two dozen companies were affected, and the intrusions usually involved the abuse of products from the Taiwan-based manufacturer Zyxel, which primarily sells networking hardware.

The Forescout report also dives into the technical details of a late 2022 Ukraine incident analyzed by Mandiant nearly a year later. That attack, definitively attributed to Sandworm, caused a temporary power outage before widespread missile strikes on critical infrastructure throughout Ukraine.

Forescout’s team said the attack wasn’t “a major leap forward,” but it showed how threat actors can use “living off the land” techniques within operational technology — like the kind that controls power infrastructure — to gain a “stealth benefit.” The problem for administrators, Forescout said, is the “common lack of detection and hardening capabilities around native OT scripting functionality.”

More specifically, the 2022 attack involved “native SCADA scripting capabilities,” or industrial control code that was already in the system. By contrast, attacks like the famous BlackEnergy and Industroyer attacks on Ukraine relied on custom malware.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Joe Warminsky is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Republican lawmakers want answers on SEC social media hack — and soon

Next Post

Recovery from cyberattack ‘on the horizon,’ Kansas Supreme Court chief justice says

Related Posts

Signal Foundation Warns Against EU’s Plan to Scan Private Messages for CSAM

A controversial proposal put forth by the European Union to scan users' private messages for detection child sexual abuse material (CSAM) poses severe risks to end-to-end encryption (E2EE), warned Meredith Whittaker, president of the Signal Foundation, which maintains the privacy-focused messaging service of the same name. "Mandating mass scanning of private communications fundamentally
Read More