Sandworm probably wasn\u2019t behind Danish critical infrastructure cyberattack, report says | CyberScoop<\/title> <meta name=\"description\" content=\"A hacking campaign thought to be attributed to the infamous Russian hacking group may have been the work of a different hacking group, Forescout researchers said in a new report.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/sandworm-sektorcert-critical-infrastructure-zyxel\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Sandworm probably wasn\u2019t behind Danish critical infrastructure cyberattack, report says\"> <meta property=\"og:description\" content=\"A hacking campaign thought to be attributed to the infamous Russian hacking group may have been the work of a different hacking group, Forescout researchers said in a new report.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/sandworm-sektorcert-critical-infrastructure-zyxel\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-01-11T22:44:27+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sandworm-probably-wasnt-behind-danish-critical-infrastructure-cyberattack-report-says-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1215\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1701905043g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1704748048g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1704975497g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=7dab012cdc88b5676610\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/78768\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=78768\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsandworm-sektorcert-critical-infrastructure-zyxel%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsandworm-sektorcert-critical-infrastructure-zyxel%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-78768 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/sandworm-sektorcert-critical-infrastructure-zyxel\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.342710997442\">\n<div class=\"single-article__header-content\" readability=\"31.40127388535\">\n<p> A hacking campaign thought to be attributed to the infamous Russian hacking group may have been the work of a different hacking group, Forescout researchers said in a new report. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"405\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sandworm-probably-wasnt-behind-danish-critical-infrastructure-cyberattack-report-says.jpg?resize=640%2C405&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sandworm-probably-wasnt-behind-danish-critical-infrastructure-cyberattack-report-says-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sandworm-probably-wasnt-behind-danish-critical-infrastructure-cyberattack-report-says-2.jpg?resize=300,190 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sandworm-probably-wasnt-behind-danish-critical-infrastructure-cyberattack-report-says-2.jpg?resize=768,486 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sandworm-probably-wasnt-behind-danish-critical-infrastructure-cyberattack-report-says-2.jpg?resize=1024,648 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sandworm-probably-wasnt-behind-danish-critical-infrastructure-cyberattack-report-says-2.jpg?resize=1536,972 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sandworm-probably-wasnt-behind-danish-critical-infrastructure-cyberattack-report-says-2.jpg?resize=600,380 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sandworm-probably-wasnt-behind-danish-critical-infrastructure-cyberattack-report-says-2.jpg?resize=265,168 265w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sandworm-probably-wasnt-behind-danish-critical-infrastructure-cyberattack-report-says-2.jpg?resize=533,337 533w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sandworm-probably-wasnt-behind-danish-critical-infrastructure-cyberattack-report-says-2.jpg?resize=1067,675 1067w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sandworm-probably-wasnt-behind-danish-critical-infrastructure-cyberattack-report-says-2.jpg?resize=1332,843 1332w\" sizes=\"(max-width: 1067px) 100vw, 1067px\"><figcaption> Buildings and ships along the harbor of Nyhavn in Copenhagen. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"43.787915554477\"><body readability=\"89.004477218857\"><\/p>\n<p>A hacking campaign against Danish critical infrastructure last year believed to be conducted by Sandworm may not actually be the work of the infamous Russian hacking group, according to a new report from industrial cybersecurity firm Forescout.<\/p>\n<p>In November 2023, SektorCERT, a Danish nonprofit cybersecurity center for critical infrastructure, warned about a series of cyberattacks against energy companies that they described as \u201cthe most extensive cyber-related attack we have experienced in Denmark to date.\u201d<\/p>\n<p>Around 22 energy companies were impacted by two campaigns: one in May of last year that exploited a vulnerability in a Zyxel firewall product by using an IP address linked to Sandworm, and another campaign weeks later that used infrastructure associated with the Marai botnet, according to SektorCERT. <\/p>\n<p>Sandworm, a hacking arm of the Russian Main Intelligence Directorate (GRU), is probably most widely known for its successful series of cyberattacks against the Ukrainian grid. But the second Danish campaign did not have any IPs associated with Sandworm, and SektorCERT was unsure whether the two campaigns were related.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWhether the same attack group during this period was preparing for the second wave or other groups came into play, we do not know,\u201d SektorCERT <a href=\"https:\/\/sektorcert.dk\/wp-content\/uploads\/2023\/11\/SektorCERT-The-attack-against-Danish-critical-infrastructure-TLP-CLEAR.pdf\">wrote at the time<\/a>. \u201cWe are mostly inclined to believe that there were two different attack groups based on the \u2019style\u2019 of the attacks. But whether the groups worked together, worked for the same employer or were completely unaware of each other\u2019s existence, we do not yet know.\u201d<\/p>\n<p>While the initial report made headlines, the <a href=\"https:\/\/www.forescout.com\/blog\/analysis-of-energy-sector-cyberattacks-in-denmark-and-ukraine\/\">new report from Forescout<\/a> \u2014 aptly titled \u201cClearing the Fog of War\u201d \u2014 asserts that the first and second wave of attacks were unrelated and Sandworm likely did not have anything to do with it.<\/p>\n<p>The researchers found that the associated IP used to belong to Cyclops Blink, the botnet used by Sandworm that has since been dismantled. That IP has since been associated with the Katana Mirai variant botnet. It was also used by a Synology network attached storage device, Forescout researchers noted, meaning it was likely part of a broader IoT botnet of infected devices.<\/p>\n<p>\u201cThere was no connection that they claimed on the report directly to Sandworm,\u201d said Daniel dos Santos, head of security research at Forescout.<\/p>\n<p>It\u2019s not clear who was behind the initial attack wave that hit 11 energy companies, dos Santos said. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Additionally, the second campaign was likely a part of a broader effort and that Danish critical infrastructure happened to get wrapped in due to unpatched firewalls, as it started before the next 11 companies were hit.<\/p>\n<p>The new information changes the theory that it was a series of targeted attacks from likely nation-backed hackers to the likelihood of a single targeted attack by unknown hackers \u2014 and an opportunistic and massive exploitation of an unpatched firewall that happened to occur while critical infrastructure was being targeted.<\/p>\n<p>\u201cWe\u2019re entering a time now where there\u2019s a lot of stuff going on in terms of geopolitics, conflicts and a lot of cyber expectations of what will happen,\u201d dos Santos said. \u201cIt\u2019s very important for organizations, for practitioners, for researchers to be able to separate things a little bit.\u201d<\/p>\n<p>While it\u2019s understandable that SektorCERT would suggest that the two campaigns were related, as they occurred weeks within each other, organizations defending against attacks like that would have separate responses, which could slow down incident response and remediation efforts.<\/p>\n<p>\u201cThey did a very good work in defending things, but I think having more time to do a second analysis with other pieces of evidence will give some new insights,\u201d dos Santos said.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.5727554179567\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sandworm-probably-wasnt-behind-danish-critical-infrastructure-cyberattack-report-says-1.jpg?w=640&ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out: christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/sandworm-sektorcert-critical-infrastructure-zyxel\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sandworm probably wasn\u2019t behind Danish critical infrastructure cyberattack, report says<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[413,1367,873,874,270,880,288],"tags":[415,1368,875,876,276,881,294],"class_list":["post-2343","post","type-post","status-publish","format-standard","hentry","category-critical-infrastructure","category-denmark","category-ics","category-operational-technology","category-russia","category-sandworm","category-threats","tag-critical-infrastructure","tag-denmark","tag-ics","tag-operational-technology","tag-russia","tag-sandworm","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/critical-infrastructure\/\" rel=\"category tag\">critical infrastructure<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/denmark\/\" rel=\"category tag\">Denmark<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ics\/\" rel=\"category tag\">ics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/operational-technology\/\" rel=\"category tag\">operational technology<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/russia\/\" rel=\"category tag\">Russia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sandworm\/\" rel=\"category tag\">Sandworm<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2343","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2343"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2343\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2343"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2343"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2343"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2343,"date":"2024-01-11T22:44:27","date_gmt":"2024-01-11T22:44:27","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=78768"},"modified":"2024-01-11T22:44:27","modified_gmt":"2024-01-11T22:44:27","slug":"sandworm-probably-wasnt-behind-danish-critical-infrastructure-cyberattack-report-says","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/01\/11\/sandworm-probably-wasnt-behind-danish-critical-infrastructure-cyberattack-report-says\/","title":{"rendered":"Sandworm probably wasn\u2019t behind Danish critical infrastructure cyberattack, report says"},"content":{"rendered":"