Forescout publishes critical analysis of recent energy sector cyberattacks in Denmark, Ukraine

Forescout Technologies has released a threat briefing that examines two recently published cyberattacks targeting the energy sector in Denmark and Ukraine, which have been attributed (or loosely connected) to the Russian military threat actor known as Sandworm, one of the most notorious APT (advanced persistent threat) groups in activity.

“Evidence suggests that the two waves of attacks on Danish infrastructure reported by SektorCERT were unrelated. It also suggests that the second wave was simply part of a mass exploitation campaign against unpatched firewalls, not part of a targeted attack by Sandworm or another state-sponsored actor,” Forescout wrote in its ‘Clearing the Fog of War’ report published Thursday.

Through the report from its Vedere Labs arm, Forescout added that “our data reveals that the campaign described as the ‘second wave’ of attacks on Denmark, started before, and continued after, the period reported by SektorCERT, targeting firewalls indiscriminately in a very similar manner, only changing staging servers periodically. We see a prevalence of exploitation attempts in Europe, where nearly 80% of publicly identifiable and potentially vulnerable firewalls are located.”

Furthermore, there is little evidence that OT (operational technology) attacks using ‘living off the land’ (LotL) techniques are faster than approaches using custom malware. However, LotL techniques provide a stealth benefit to attackers and demonstrate that they continue to deploy new OT-oriented TTPs (tactics, techniques, and procedures) rather than rely on existing capabilities alone. 

There is also one previously undiscussed advantage to LotL techniques of enabling attackers to abstract away from legacy and proprietary OT protocols that lack open-source implementations or extensive available documentation.

Forescout researcher Jos Wetzels wrote in a company blog post that Forescout evidence suggests that the two waves of attacks on Danish infrastructure reported by SektorCERT, the Danish CERT for critical infrastructure, were unrelated. It also suggests that the second wave was simply part of a mass exploitation campaign against unpatched firewalls, not part of a targeted attack by Sandworm or another state-sponsored actor.

He added that there will continue to be an increase in attacks leveraging vulnerabilities in network infrastructure devices. “Poorly secured routers and firewalls, for instance, pose great risks to organizations. We advise organizations worldwide to prioritize securing these devices.”

Wetzels said that the findings of the report highlight the importance of correlating observed events with other sources of threat intelligence, such as malicious IPs and currently known exploited vulnerabilities. “They also mean that critical infrastructure organizations all over Europe should remain alert to attacks on unpatched network infrastructure devices. Dismissing these events as targeted to a specific country or specific organizations can be risky for other vulnerable organizations.”

“On November 13, 2023, SektorCERT published a report detailing how, between the 11th and 30th of May 2023, two waves of attacks gained access to the infrastructure of 22 companies in the Danish energy sector via vulnerabilities in their Zyxel firewalls,” Forescout disclosed. “While the SektorCERT sensor network quickly noticed the attacks, allowing for a rapid response, the attackers reportedly had access to the industrial control systems of multiple companies, compelling some to go into island mode (operating without being connected to the energy grid).”

The first wave of attacks exploited CVE-2023-28771, a pre-authentication OS command injection vulnerability in the Internet Key Exchange (IKE) packet decoder of several unpatched Zyxel firewalls, reachable via port 500/UDP on the WAN interface, and resulting in a root shell. The vulnerability comes before there was a public exploit available and used exploit payloads specific to compromised devices, which suggests a potentially targeted attack, even if the exploit was trivial to develop.

The report also pointed out that the serious vulnerability was first made public, together with available patches, on April 25th – more than two weeks before the attacks. “Although the first public writeup and PoC were only made public on May 19th, a week after the first attack wave began, the exploit was fairly trivial. Even though the firmware was encrypted, potentially complicating differential patch analysis, a public bypass was available, allowing any moderately skilled attacker to develop an exploit in those two weeks,” it added. 

After achieving initial access, the exploited firewalls connected back to 46.8.198[.]196 and received a command to retrieve current usernames and configuration information. 

The SektorCERT report mentions that, at the time of the first wave, no public information was available regarding which exposed Zyxel firewalls were vulnerable to CVE-2023-28771 and which were not, and no scans prior to the attack were observed. It is not feasible to determine the exact vendor, model, and firmware revision from IKE alone – though some older coarse IKE fingerprinting tooling exists. The Metasploit module for CVE-2023-28771 also lacks an IKE fingerprinting method.

In the second wave, starting on the 22nd of May 2023, (potentially different) attackers started downloading MIPS binaries over HTTP from 45.89.106[.]147 to Zyxel firewalls in a targeted energy sector organization, the report disclosed. “The binaries in question are Mirai variants containing indicators of the Moobot flavor. After installing the malware, the firewalls started communicating on port 56999/TCP (a known C2 port for Mirai variants) with a server at ‘www.joshan[dot]pro’ (registered three weeks before the attack) resolving to 185.44.81[.]147. The firewalls then started participating in DDoS and SSH brute-force attacks against targets in Hong Kong, the U.S., and Canada.” 

Interestingly, one of the DDoS targets seems to be historically associated, through domain resolution both at the time of the attacks and before it, with infrastructure hosting many kinds of generic malware, such as adware and droppers. 

In the days after this initial attack of the second wave, Zyxel firewalls at other SektorCERT member organizations were observed similarly trying to download Mirai variants from various staging servers. Investigation of these staging server IPs shows that they were historically associated with the distribution of many kinds of malware, such as Mirai and BASHLITE/Gafgyt variants, adware, ransomware, as well as different campaigns, including Log4j exploitation attempts. 

In addition, Forescout said that some of the filenames under which the malware was dropped appear in the three-year-old public code of a QBot variant. “Successful infection of the firewalls was followed by C2 communications with the same IP on port 56999/TCP. During the same period when the attacks on Danish infrastructure were occurring (more precisely on May 24-26), we observed, within our AEE, 12 attacks that were very similar to the ones mentioned in the SektorCERT report. All these attacks came from 109.207.200[.]43, an address not mentioned in that report. All the attacks targeted CVE-2023-28771 and used exploits with similar payloads, indicating that they were adapted from a public proof of concept,” it added. 

During the same period of the attacks on Danish infrastructure (more precisely May 24-26), the report identified that “we observed on our AEE (Adversary Engagement Environment) 12 attacks that were very similar to those mentioned in the SektorCERT report. All the attacks came from an IP address not mentioned in that report, but they all targeted CVE-2023-28771 and used exploits with similar payloads as a public proof of concept.”

Another botnet sample mentioned in the report was also made available on an open malware-sharing platform on May 27th, using an IP address that Forescout also observed performing port scanning on the AEE as late as July (more than a month after the Danish attacks).

All of the above evidence points to the second wave of attacks on Danish organizations as being part of a larger campaign of indiscriminate botnet exploitation using a newly ‘popular’ CVE, not a targeted attack or something related to the first wave. The first wave had used payloads specific to Zyxel and occurred before public proofs-of-concept were available.

There are two main takeaways from Forescout’s analysis of these incidents targeting the energy sector is that while the Danish energy sector incident shows the power of extensive network monitoring and a quick and coordinated response (no easy feat during massive exploitation campaigns), it also shows the uncertainty around attacker intent and the level of incident seriousness that can arise during such an event. 

Also, distinguishing between a state-sponsored campaign targeted at disrupting critical infrastructure and crimeware mass exploitation campaigns, and accounting for possible overlaps between the two, is more easily done in hindsight than in real-time. Contextualization based on detailed threat and vulnerability intelligence can help security professionals identify where to focus. In addition, this incident shows once again the frailty of perimeter security devices and the continuing need for complementary monitoring. 

Secondly, rather than a major leap forward, the emergence of OT-oriented LotL TTPs in the October 2022 Ukrainian incident primarily represents a stealth benefit to attackers due to the common lack of detection and hardening capabilities around native OT scripting functionality. It also shows attackers continue to develop new OT-oriented TTPs rather than rely solely on existing capabilities.

The report’s analysis and conclusions provide critical mitigation recommendations, including the identification, patching, and hardening of exposed network infrastructure/perimeter devices. Another key measure is the segmentation of the network to prevent lateral movement to and from exposed assets. Ongoing threat detection in OT networks is emphasized, and leveraging up-to-date threat intelligence, encompassing malicious IPs and known exploited vulnerabilities is essential for robust cybersecurity measures.

In November, industrial cybersecurity company Dragos said that the Electrum threat group had targeted a Ukrainian electric entity using custom tools and CaddyWiper malware in October 2022. The Electrum threat group, known for its technical overlaps with the Sandworm APT, has been identified as the perpetrator behind multiple cyber attacks on Ukrainian electric utilities. Notably, they were responsible for a power outage in 2016 that affected a quarter million homes. The recently disclosed attack exhibits similarities to their previous malicious activities.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.