November 14, 2023 at 07:09AM
Hackers launched a coordinated attack on 22 energy organizations in Denmark’s critical infrastructure. The attack, which occurred in May 2023, involved compromising victim organizations within a few days. The hackers exploited vulnerabilities in Zyxel firewalls and gained complete control over the impacted systems. The attacks were observed to have been carried out by a Russian state-sponsored advanced persistent threat group known as Sandworm. The compromised firewalls were also used in distributed denial-of-service attacks, and after the vulnerabilities became publicly known, attack attempts against Danish critical infrastructure increased. SektorCERT provides a detailed timeline of the attacks and offers recommendations to improve network security for critical infrastructure organizations.
According to the meeting notes, hackers launched a coordinated attack on Denmark’s critical infrastructure, compromising 22 energy organizations. The attack took place in May 2023 and is considered the largest attack against Danish critical infrastructure to date. The hackers successfully targeted the victim organizations within a few days, exploiting vulnerabilities in Zyxel firewalls to gain complete control over the impacted systems. The initial wave of attacks occurred on May 11, targeting 16 Danish energy organizations by exploiting a critical OS command execution vulnerability in Zyxel’s firewalls. The attackers compromised 11 organizations and obtained device configurations and usernames. A second wave of attacks occurred on May 22, leveraging two zero-day vulnerabilities in Zyxel devices. SektorCERT, the non-profit cybersecurity center for critical sectors, collaborated with the victim organizations to apply patches and secure the compromised networks. In one of the attacks, activity associated with the Russian state-sponsored advanced persistent threat (APT) group Sandworm was observed. Some of the vulnerable firewalls were infected with a Mirai bot and used in distributed denial-of-service (DDoS) attacks against entities in the US and Hong Kong. Attack attempts against Danish critical infrastructure increased significantly after the exploit code for some of the vulnerabilities became publicly known. The meeting notes also mention that SektorCERT provides recommendations for critical infrastructure organizations to enhance the security of their networks.