Connect with us

Hi, what are you looking for?



22 Energy Firms Hacked in Largest Coordinated Attack on Denmark’s Critical Infrastructure

Denmark’s SektorCERT association shares details on a coordinated attack against the country’s energy sector.

Denmark energy hack

Hackers compromised 22 energy organizations in a coordinated attack against Denmark’s critical infrastructure, non-profit cybersecurity center for critical sectors SektorCERT reveals.

As part of the attack, which occurred in May 2023, the hackers compromised the victim organizations within a few days, making this the largest attack against Danish critical infrastructure to date.

“Denmark is constantly under attack. But it is unusual that we see so many concurrent, successful attacks against the critical infrastructure. The attackers knew in advance who they were going to target and got it right every time,” SektorCERT notes in a report (PDF).

As part of the attacks, hackers exploited multiple vulnerabilities in Zyxel firewalls for initial access, executing code and gaining complete control over the impacted systems.

On May 11, the threat actors targeted 16 Danish energy organizations in attacks exploiting CVE-2023-28771 (CVSS score of 9.8), a critical OS command execution in Zyxel’s ATP, USG FLEX, VPN, and ZyWALL/USG firewalls that came to light in late April.

The attackers successfully compromised 11 organizations, executing commands on the vulnerable firewalls to obtain device configurations and usernames. All networks were secured by the end of the day, SektorCERT says.

A second wave of attacks, observed on May 22, involved new tools and exploitation of two zero-day vulnerabilities in Zyxel devices.

The bugs, tracked as CVE-2023-33009 and CVE-2023-33010, were patched on May 24. On the same day, the attackers started targeting multiple Danish energy firms with different payloads and exploits, and continued their assault on May 25 as well.

Advertisement. Scroll to continue reading.

SektorCERT says it worked together with the victim organizations, to apply the available patches and secure the compromised networks immediately after identifying the attacks.

The cybersecurity organization also notes that, in at least one of the attacks, it observed activity associated with Sandworm, a Russian state-sponsored advanced persistent threat (APT) actor linked to the country’s GRU military spy agency.

“In SektorCERT’s three years of operation, we have never seen signs that these APT groups have attacked Danish critical infrastructure. Their activities tend to be reserved for goals that the states they work for want to disrupt due to various political or military considerations,” SektorCERT noted.

Throughout the campaign, some of the vulnerable firewalls were infected with a Mirai bot and were subsequently used in distributed denial-of-service (DDoS) attacks against entities in the US and Hong Kong.

“After the exploit code for some of the vulnerabilities became publicly known around May 30, attack attempts against the Danish critical infrastructure exploded – especially from IP addresses in Poland and Ukraine.”

In its report, SektorCERT provides comprehensive details on the timeline of the attacks, along with a series of recommendations for critical infrastructure organizations to improve the security of their networks.

Related: Mandiant Intelligence Chief Raises Alarm Over China’s ‘Volt Typhoon’ Hackers in US Critical Infrastructure

Related: UK Warns of Russian Hackers Targeting Critical Infrastructure

Related: Zyxel Urges Customers to Patch Firewalls Against Exploited Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet