What happened in Denmark could happen to you, cybersecurity researchers warn in a new report examining attacks on the country’s energy sector last year.
A series of May incidents that appeared to be a highly targeted effort by a nation-state actor (possibly Russia’s Sandworm hacking group) were not as initially thought, according to a new Forescout report. It is possible that the relationship was even lower.
The researchers say their analysis found two distinct waves for Danish energy providers and that there is evidence to suggest they are unrelated.
There appears to be “no direct connection to sandworms” in the first wave, Forescout said. The researchers’ findings also indicate that “the second wave was simply part of a large-scale exploitation campaign against unpatched firewalls, and not part of a targeted attack by Sandworm or other state-sponsored actors.” It also suggests that.
The bottom line is that “critical infrastructure organizations across Europe must remain vigilant against attacks against unpatched network infrastructure devices.”
“Ignoring these events as targeted at specific countries or organizations can put other vulnerable organizations at risk,” Forescout said.
SektorCERT, Denmark’s computer emergency response agency, reported on the attack in November. Nearly 20 companies were affected, and the intrusions typically involved exploiting products from Zyxel, a Taiwan-based manufacturer that primarily sells networking hardware.
The Forescout report also goes into technical details of the Ukraine incident in late 2022, which Mandiant analyzed almost a year later. The attack, apparently caused by a sandworm, caused a temporary power outage before widespread missile attacks on critical infrastructure across Ukraine.
ForeScout’s team said the attack was not a “giant leap forward,” but it does demonstrate how attackers can leverage “living on land” techniques within operational technologies, such as controlling power infrastructure, to gain “stealth benefits.” “He showed what he could get.” The problem for administrators, Forescout said, is “the general lack of detection and hardening capabilities around native OT scripting capabilities.”
More specifically, the 2022 attack involved “native SCADA scripting functionality,” or industrial control code that was already present in the system. In contrast, attacks such as his famous BlackEnergy and Industroyer attacks against Ukraine relied on custom his malware.
recorded future
intelligence cloud.
learn more.
There are no past articles
There are no new articles
Joe Warminsky is the news editor at Recorded Future News. He has over 25 years of experience as an editor and writer in the Washington, DC area. Most recently, he served as a leader at CyberScoop for over five years. Previously, he served as digital editor at NPR affiliate WAMU 88.5 in Washington, where he spent more than a decade editing Congressional coverage for CQ Roll Call.