Last year, the energy sector in Denmark experienced cyber attacks, but new findings suggest that they may not have been carried out by the Russia-linked Sandworm hacking group. The attacks targeted around 22 Danish energy organizations and occurred in two waves. The first wave exploited a security flaw in Zyxel firewall, while the second wave involved the deployment of Mirai botnet variants. Forescout, which examined the attack campaign, concluded that the two waves were unrelated and unlikely the work of a state-sponsored group. The second wave was part of a broader mass exploitation campaign against unpatched Zyxel firewalls. The identity of the attackers is still unknown.
Further analysis by Forescout revealed that the attacks may have started as early as February 16 and continued until October 2023. The attacks targeted various entities across Europe and the U.S., indicating that the exploitation of the Zyxel firewall flaw is ongoing and not limited to Danish critical infrastructure. Forescout emphasized that the attacks were targeting exposed devices, some of which happened to be Zyxel firewalls protecting critical infrastructure organizations.
Overall, the cyber attacks on the energy sector in Denmark last year were carried out in two waves and targeted multiple organizations. The attacks exploited a security flaw in Zyxel firewalls and involved the deployment of Mirai botnet variants. It is unlikely that the attacks were carried out by the Sandworm hacking group, and the identity of the attackers remains unknown. The attacks started as early as February 16 and continued until October 2023, targeting entities across Europe and the U.S. The attacks highlight the ongoing exploitation of the Zyxel firewall flaw and the need for improved cybersecurity measures.