Security News 22 Energy Firms Hacked in Largest Coordinated Attack on Denmark’s Critical Infrastructure

Gandalf_The_Grey

Level 81
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,086
As part of the attack, which occurred in May 2023, the hackers compromised the victim organizations within a few days, making this the largest attack against Danish critical infrastructure to date.

“Denmark is constantly under attack. But it is unusual that we see so many concurrent, successful attacks against the critical infrastructure. The attackers knew in advance who they were going to target and got it right every time,” SektorCERT notes in a report (PDF).

As part of the attacks, hackers exploited multiple vulnerabilities in Zyxel firewalls for initial access, executing code and gaining complete control over the impacted systems.

On May 11, the threat actors targeted 16 Danish energy organizations in attacks exploiting CVE-2023-28771 (CVSS score of 9.8), a critical OS command execution in Zyxel’s ATP, USG FLEX, VPN, and ZyWALL/USG firewalls that came to light in late April.

The attackers successfully compromised 11 organizations, executing commands on the vulnerable firewalls to obtain device configurations and usernames. All networks were secured by the end of the day, SektorCERT says.

A second wave of attacks, observed on May 22, involved new tools and exploitation of two zero-day vulnerabilities in Zyxel devices.

The bugs, tracked as CVE-2023-33009 and CVE-2023-33010, were patched on May 24. On the same day, the attackers started targeting multiple Danish energy firms with different payloads and exploits, and continued their assault on May 25 as well.

SektorCERT says it worked together with the victim organizations, to apply the available patches and secure the compromised networks immediately after identifying the attacks.

The cybersecurity organization also notes that, in at least one of the attacks, it observed activity associated with Sandworm, a Russian state-sponsored advanced persistent threat (APT) actor linked to the country’s GRU military spy agency.

“In SektorCERT’s three years of operation, we have never seen signs that these APT groups have attacked Danish critical infrastructure. Their activities tend to be reserved for goals that the states they work for want to disrupt due to various political or military considerations,” SektorCERT noted.

Throughout the campaign, some of the vulnerable firewalls were infected with a Mirai bot and were subsequently used in distributed denial-of-service (DDoS) attacks against entities in the US and Hong Kong.

“After the exploit code for some of the vulnerabilities became publicly known around May 30, attack attempts against the Danish critical infrastructure exploded – especially from IP addresses in Poland and Ukraine.”
 

Jonny Quest

Level 21
Verified
Top Poster
Well-known
Mar 2, 2023
1,047
Wow:
"As part of the attacks, hackers exploited multiple vulnerabilities in Zyxel firewalls for initial access, executing code and gaining complete control over the impacted systems".

"The cybersecurity organization also notes that, in at least one of the attacks, it observed activity associated with Sandworm, a Russian state-sponsored advanced persistent threat (APT) actor linked to the country’s GRU military spy agency".

Nice job with the information posted, @Gandalf_The_Grey
 
F

ForgottenSeer 103564

A fine example of "a tool can be used either way" for good or bad depending on the intentions behind the use.

CVE's are no joke and are not ever patched quickly enough. They exist in everything from the software you use, to operating systems, to servers you connect out on. No amount of security can stop a breach if they have plenty of vulnerabilities to exploit.
 

Viking

Level 26
Verified
Honorary Member
Top Poster
Well-known
Oct 2, 2011
1,552
Hackers potentially linked to Russia’s military intelligence carried out a series of highly coordinated cyberattacks on Danish energy infrastructure in the spring, a new report says.

SektorCERT, a non-profit cybersecurity center for critical sectors in Denmark, said in the report that it was the nation’s largest cyber incident on record.

According to SektorCERT’s experts, attackers gained access to the systems of 22 companies overseeing various components of Denmark’s energy infrastructure in May 2023.

In the worst-case scenario, more than 100,000 people in Denmark could have been left without electricity or heating – if the hackers had chosen to turn off power from the infrastructure they had gained control of.

Fortunately, the attack was quickly discovered – security holes were closed, and the companies’ customers were not affected. Still, several companies had to go into island mode (off-grid) operation to isolate their systems and prevent the spread of the attack.

“The attackers knew in advance who they were going to target and got it right every time. Denmark is constantly under attack. But it is unusual that we see so many concurrent, successful attacks against the critical infrastructure,” SektorCERT said.

The report (PDF) says that zero-day vulnerabilities in Zyxel firewalls used by many Danish infrastructure operators to protect their networks were exploited. Most of the attacks were possible because the companies had not updated their firewalls, said SektorCERT.
 

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,531
The report (PDF) says that zero-day vulnerabilities in Zyxel firewalls used by many Danish infrastructure operators to protect their networks were exploited. Most of the attacks were possible because the companies had not updated their firewalls, said SektorCERT.
Big no-no. Updates are elementary things everyone and every organization should do.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top