November 13, 2023 at 09:41AM
Denmark experienced its largest-ever online attack on critical infrastructure in May, according to a report from SektorCERT. The attack affected 22 companies, with some forced to disconnect from the power network. Unpatched vulnerabilities in Zyxel firewalls were exploited, potentially by multiple groups including Russia’s Chief Intelligence Office. The attacks were not publicly announced and were targeted specifically at Danish critical infrastructure. The report highlights the need for organizations to prioritize cybersecurity measures to prevent, detect, and respond to such attacks.
Key Takeaways from Meeting Notes:
1. Danish critical infrastructure experienced a major online attack in May, with 22 companies being breached in just a few days.
2. The attackers exploited unpatched vulnerabilities in Zyxel firewalls, some of which were not publicly announced (zero days).
3. Multiple groups were involved in the attacks, and one of them may potentially be the notorious Sandworm operation nested in Russia’s Chief Intelligence Office.
4. The attackers specifically targeted Danish critical infrastructure, as the Zyxel devices were not publicly visible on scanning services like Shodan.
5. Many organizations were surprised by the attacks, mistakenly assuming that their relatively new firewalls had the latest software or that the vendor was responsible for updates.
6. The first wave of attacks targeted 16 energy organizations, while the second wave involved the compromise of one organization’s infrastructure to carry out DDoS attacks using the Mirai botnet.
7. The attackers may have used two Zyxel firewall zero days to breach one organization.
8. SektorCERT had to work around the clock to respond to the attacks and discovered that six other organizations were compromised through their Zyxel firewalls.
9. One organization experienced advanced persistent threat (APT) traffic linked to an IP address previously used by the Sandworm cyber unit. However, attribution could not be confidently made.
10. The overall impact on the country’s critical infrastructure was minimal, thanks to the fast responses of SektorCERT’s experts and the affected organizations.
11. Going forward, there should be increased focus on addressing systemic vulnerabilities in order to prevent wide consequences for the country’s critical infrastructure.