Move Over, APTs: Cybercriminals Now Target Critical Infrastructure Too

Danish energy sector attacks attributed to Russias Sandworm APT turn out to be the work of a new concern: cyber opportunists.

A crimewave of mass exploitation of Zyxel firewall devices has been washing over critical infrastructure in Europe — and Sandworm, the Russian state-sponsored advanced persistent threat (APT) that specializes in such attacks, is behind only part of it.
According to
an analysis from Forescout Research, Vedere Labs
this week, one of two
previously reported attacks against the Danish energy sector in May
was mistakenly attributed to Sandworm.
At the time, Danish critical infrastructure security nonprofit SektorCERT noted that attackers were leveraging multiple, critical vulnerabilities in Zyxel gear, including two zero-days, to isolate targets from the national grid, and that command-and-control (C2) servers known to be associated with Sandworm were involved, across two different campaigns.
Further analysis however shows that the second wave of attacks took advantage of unpatched firewalls using a newly popular
CVE-2023-27881
, and additional [C2] addresses that went unreported, according to the firm. Forescout evidence suggests the second wave was part of a separate mass exploitation campaign.
Forescout researchers noted that the perpetrators are targeting firewalls indiscriminately and only changing staging servers periodically — a very different M.O. from that of the infamous APT.
Distinguishing between a
state-sponsored campaign aimed at disrupting critical infrastructure
and a crimewave of mass exploitation campaigns, while also accounting for potential overlaps between the two, is more manageable in hindsight than in the heat of the moment, notes Elisa Costante, vice president of research at Forescout Research. This report underscores the significance of contextualizing observed events with comprehensive threat and vulnerability intelligence to improve operational technology (OT) network monitoring and enhance incident response plans.
After the Danish attacks, further cyberactivity targeted exposed devices within critical infrastructure worldwide for months, with Forescout researchers detecting numerous IP addresses attempting to exploit the Zyxel bug across various devices as recently as October. And attacks could continue still: At least six different power companies in European countries utilize Zyxel firewalls and may remain susceptible to potential exploitation by malicious actors, according to Forescout.
The fact that garden-variety opportunistic cyberattackers are getting into the ICS game should worry cyber defenders, according to John Gallagher, vice president of Viakoo Labs at Viakoo.
Forescouts analysis points to the spillover from
nation-state directed cyber exploits
to mass exploitation campaigns, which is an alarming trend, he says. As mass market threat actors become more skilled at working within the unique languages and protocols of ICS systems, it dramatically increases the risk of nonaffiliated threat actors providing as-a-service ICS exploitation.
That trend will ironically be exacerbated by the modernization of the technology used by utilities and other critical infrastructure environments, notes Craig Jones, vice president of security operations at Ontinue.
As infrastructure becomes increasingly connected and reliant on digital systems, the potential attack surface for cybercriminals rises, Jones explains. We can expect to see more sophisticated attacks that exploit specific vulnerabilities in these systems moving forward. Furthermore, the ever-growing value of data may lead to more targeted ransomware attacks that aim to extract or encrypt particularly valuable or sensitive information.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Move Over, APTs: Cybercriminals Now Target Critical Infrastructure Too