A hacking campaign against Danish critical infrastructure last year believed to be conducted by Sandworm may not actually be the work of the infamous Russian hacking group, according to a new report from industrial cybersecurity firm Forescout.
In November 2023, SektorCERT, a Danish nonprofit cybersecurity center for critical infrastructure, warned about a series of cyberattacks against energy companies that they described as “the most extensive cyber-related attack we have experienced in Denmark to date.”
Around 22 energy companies were impacted by two campaigns: one in May of last year that exploited a vulnerability in a Zyxel firewall product by using an IP address linked to Sandworm, and another campaign weeks later that used infrastructure associated with the Marai botnet, according to SektorCERT.
Sandworm, a hacking arm of the Russian Main Intelligence Directorate (GRU), is probably most widely known for its successful series of cyberattacks against the Ukrainian grid. But the second Danish campaign did not have any IPs associated with Sandworm, and SektorCERT was unsure whether the two campaigns were related.
“Whether the same attack group during this period was preparing for the second wave or other groups came into play, we do not know,” SektorCERT wrote at the time. “We are mostly inclined to believe that there were two different attack groups based on the ’style’ of the attacks. But whether the groups worked together, worked for the same employer or were completely unaware of each other’s existence, we do not yet know.”
While the initial report made headlines, the new report from Forescout — aptly titled “Clearing the Fog of War” — asserts that the first and second wave of attacks were unrelated and Sandworm likely did not have anything to do with it.
The researchers found that the associated IP used to belong to Cyclops Blink, the botnet used by Sandworm that has since been dismantled. That IP has since been associated with the Katana Mirai variant botnet. It was also used by a Synology network attached storage device, Forescout researchers noted, meaning it was likely part of a broader IoT botnet of infected devices.
“There was no connection that they claimed on the report directly to Sandworm,” said Daniel dos Santos, head of security research at Forescout.
It’s not clear who was behind the initial attack wave that hit 11 energy companies, dos Santos said.
Additionally, the second campaign was likely a part of a broader effort and that Danish critical infrastructure happened to get wrapped in due to unpatched firewalls, as it started before the next 11 companies were hit.
The new information changes the theory that it was a series of targeted attacks from likely nation-backed hackers to the likelihood of a single targeted attack by unknown hackers — and an opportunistic and massive exploitation of an unpatched firewall that happened to occur while critical infrastructure was being targeted.
“We’re entering a time now where there’s a lot of stuff going on in terms of geopolitics, conflicts and a lot of cyber expectations of what will happen,” dos Santos said. “It’s very important for organizations, for practitioners, for researchers to be able to separate things a little bit.”
While it’s understandable that SektorCERT would suggest that the two campaigns were related, as they occurred weeks within each other, organizations defending against attacks like that would have separate responses, which could slow down incident response and remediation efforts.
“They did a very good work in defending things, but I think having more time to do a second analysis with other pieces of evidence will give some new insights,” dos Santos said.