Hackers compromised 22 energy organizations in a coordinated attack against Denmark’s critical infrastructure, non-profit cybersecurity center for critical sectors SektorCERT reveals.
As part of the attack, which occurred in May 2023, the hackers compromised the victim organizations within a few days, making this the largest attack against Danish critical infrastructure to date.
“Denmark is constantly under attack. But it is unusual that we see so many concurrent, successful attacks against the critical infrastructure. The attackers knew in advance who they were going to target and got it right every time,” SektorCERT notes in a report (PDF).
As part of the attacks, hackers exploited multiple vulnerabilities in Zyxel firewalls for initial access, executing code and gaining complete control over the impacted systems.
On May 11, the threat actors targeted 16 Danish energy organizations in attacks exploiting CVE-2023-28771 (CVSS score of 9.8), a critical OS command execution in Zyxel’s ATP, USG FLEX, VPN, and ZyWALL/USG firewalls that came to light in late April.
The attackers successfully compromised 11 organizations, executing commands on the vulnerable firewalls to obtain device configurations and usernames. All networks were secured by the end of the day, SektorCERT says.
A second wave of attacks, observed on May 22, involved new tools and exploitation of two zero-day vulnerabilities in Zyxel devices.
The bugs, tracked as CVE-2023-33009 and CVE-2023-33010, were patched on May 24. On the same day, the attackers started targeting multiple Danish energy firms with different payloads and exploits, and continued their assault on May 25 as well.
SektorCERT says it worked together with the victim organizations, to apply the available patches and secure the compromised networks immediately after identifying the attacks.
The cybersecurity organization also notes that, in at least one of the attacks, it observed activity associated with Sandworm, a Russian state-sponsored advanced persistent threat (APT) actor linked to the country’s GRU military spy agency.
“In SektorCERT’s three years of operation, we have never seen signs that these APT groups have attacked Danish critical infrastructure. Their activities tend to be reserved for goals that the states they work for want to disrupt due to various political or military considerations,” SektorCERT noted.
Throughout the campaign, some of the vulnerable firewalls were infected with a Mirai bot and were subsequently used in distributed denial-of-service (DDoS) attacks against entities in the US and Hong Kong.
“After the exploit code for some of the vulnerabilities became publicly known around May 30, attack attempts against the Danish critical infrastructure exploded – especially from IP addresses in Poland and Ukraine.”
In its report, SektorCERT provides comprehensive details on the timeline of the attacks, along with a series of recommendations for critical infrastructure organizations to improve the security of their networks.