Researchers believe that they made a mistake when studying the May incidents with Zyxel firewalls.
In May 2023, Denmark faced a cyberattack on its critical infrastructure. According to the non-profit cyber security center SektorCERT, 22 energy sector organizations were compromised as a result of the attacks. This incident caused considerable concern in the society and State structures.
According to the SektorCERT report, the attacks were organized using vulnerabilities in Zyxel firewalls, including CVE-2023-28771, CVE-2023-33009 and CVE-2023-33010. The defects were made public and fixed around the same time.
The report mentioned the involvement of the Sandworm group, although previously such ART groups did not show interest in the Danish critical infrastructure and in Denmark as a whole.
A new analysis conducted by Forescout paints a different perspective. Their study of the attacks, which occurred in two waves with a break of several weeks, shows that Sandworm may not have been involved in the campaign.
The first wave began on May 11, 2023. Attackers exploited the vulnerability CVE-2023-28771, which was disclosed 2 weeks before the incident and hacked a week before the publication of the finished exploit. This indicates a possible targeted attack, even though there are about 700 vulnerable Zyxel firewalls in Denmark.
The second wave of attacks began on May 22, a few weeks after the first. According to Forescout, other attackers have already participated in it. These incidents could have been part of a massive operation to infect Zyxel devices using the Mirai botnet.
In fact, all the activity recorded by Forescout against Zyxel during the specified period included the operation of CVE-2023-28771. Attacks on Danish organizations were no exception.
According to the researchers, the first and second waves of attacks are not related. Although the Danish energy sector has been affected, it is most likely an accident.
As for the first wave, it looks more sophisticated and focused. However, Forescout found no direct evidence of Sandworm's involvement.
The company notes that globally, there are more than 40,000 Zyxel firewalls accessible from the internet. Many of them protect critical infrastructure objects in different countries.
In May 2023, Denmark faced a cyberattack on its critical infrastructure. According to the non-profit cyber security center SektorCERT, 22 energy sector organizations were compromised as a result of the attacks. This incident caused considerable concern in the society and State structures.
According to the SektorCERT report, the attacks were organized using vulnerabilities in Zyxel firewalls, including CVE-2023-28771, CVE-2023-33009 and CVE-2023-33010. The defects were made public and fixed around the same time.
The report mentioned the involvement of the Sandworm group, although previously such ART groups did not show interest in the Danish critical infrastructure and in Denmark as a whole.
A new analysis conducted by Forescout paints a different perspective. Their study of the attacks, which occurred in two waves with a break of several weeks, shows that Sandworm may not have been involved in the campaign.
The first wave began on May 11, 2023. Attackers exploited the vulnerability CVE-2023-28771, which was disclosed 2 weeks before the incident and hacked a week before the publication of the finished exploit. This indicates a possible targeted attack, even though there are about 700 vulnerable Zyxel firewalls in Denmark.
The second wave of attacks began on May 22, a few weeks after the first. According to Forescout, other attackers have already participated in it. These incidents could have been part of a massive operation to infect Zyxel devices using the Mirai botnet.
In fact, all the activity recorded by Forescout against Zyxel during the specified period included the operation of CVE-2023-28771. Attacks on Danish organizations were no exception.
According to the researchers, the first and second waves of attacks are not related. Although the Danish energy sector has been affected, it is most likely an accident.
As for the first wave, it looks more sophisticated and focused. However, Forescout found no direct evidence of Sandworm's involvement.
The company notes that globally, there are more than 40,000 Zyxel firewalls accessible from the internet. Many of them protect critical infrastructure objects in different countries.
