Forescout unveiled "Clearing the Fog of War,"
a report that introduces fresh evidence regarding two previously
documented attacks that affected the Danish energy sector in May 2023.
Forescout Research - Vedere Labs conducted an independent analysis of
these attacks and discovered a larger campaign that could not be fully
attributed to the Advanced Persistent Threat (APT) group, Sandworm,
along with other findings that the Danish CERT, SektorCERT, did not
publish in its November 2023 report.
In its Adversary Engagement Environment (AEE) observations, Vedere Labs identified two significant findings:
-
Sandworm is not the common threat actor: Forescout researchers
detailed a different technique for targeting the critical infrastructure
in the second wave than the one used in the first attack wave. This
suggests that Sandworm cannot be pointed to as the APT group associated
with both waves of attacks.
-
Copycat adopted mass exploit: The second wave of attacks took
advantage of unpatched firewalls using a newly "popular" CVE-2023-27881
and additional IP addresses that went unreported in the SektorCERT
report. Evidence suggests the second wave was part of a separate mass
exploitation campaign.
"Distinguishing between a state-sponsored campaign aimed at disrupting
critical infrastructure and a crimewave of mass exploitation campaigns,
while also accounting for potential overlaps between the two, is more
manageable in hindsight than in the heat of the moment," notes Elisa
Costante, VP of Research at Forescout Research - Vedere Labs. "This
report underscores the significance of contextualizing observed events
with comprehensive threat and vulnerability intelligence to improve OT
network monitoring and enhance incident response plans."
After the second incident, further attacks targeted exposed devices
within critical infrastructure worldwide in the ensuing months.
Forescout researchers detected numerous IP addresses attempting to
exploit the Zyxel vulnerability CVE-2023-28771, persisting as late as
October 2023, across various devices, including additional Zyxel
firewalls. Presently, six distinct power companies in European countries
utilize Zyxel firewalls and may remain susceptible to potential
exploitation by malicious actors.
This recent evidence underscores the imperative for energy firms and
organizations overseeing critical infrastructure to place a greater
emphasis on utilizing current threat intelligence, including information
on malicious IPs and known exploited vulnerabilities. Governments are
increasingly taking proactive measures by allocating funding to
initiatives aimed at fortifying the security posture of critical
infrastructure within the energy sector. Notably, the U.S. Department of
Energy recently announced a new funding initiative, earmarking $70 million for this purpose just last week.
Forescout Research conducted this analysis utilizing its AEE, which
encompasses both real and simulated connected devices. This environment
serves as a comprehensive tool for pinpointing incidents and discerning
threat actor patterns at a granular level. The goal is to enhance
responses to intricate critical infrastructure attacks through detailed
insights and understanding gained from this specialized testing
environment.
For more information, download the full report, "Clearing the Fog of War."