November 16, 2023 at 01:18AM
Russian threat actors are suspected of launching the largest cyber attack on Danish critical infrastructure in May 2023. The attack targeted 22 energy sector companies and was coordinated and successful. Evidence suggests the involvement of Russia’s GRU military intelligence agency. The attacks exploited a critical command injection flaw in Zyxel firewalls. A second wave of attacks followed, possibly involving different threat actors. The compromised devices were used for DDoS attacks. The energy sector is also increasingly targeted by ransomware groups. NTC Vulkan, a Moscow-based IT contractor, is linked to offensive cyber tools supplied to Russian intelligence agencies.
Key Takeaways from Meeting Notes:
– Russian threat actors are suspected to be linked to a major cyber attack against Danish critical infrastructure in May 2023, targeting 22 companies associated with the energy sector.
– The attacks were coordinated and simultaneous, exhibiting a high level of planning and resource allocation.
– Evidence suggests involvement of Russia’s GRU military intelligence agency (also known as Sandworm) based on communication artifacts and traced IP addresses.
– The attacks exploited a critical command injection flaw (CVE-2023-28771) impacting Zyxel firewalls, which was disclosed in late April 2023.
– Successful infiltration of 11 companies allowed the threat actors to conduct reconnaissance of firewall configurations and plan the next course of action.
– A second wave of attacks occurred from May 22 to 25, potentially involving a different attack group with previously unseen cyber weapons.
– It is uncertain if the groups collaborated or acted independently.
– Suspected zero-day vulnerabilities (CVE-2023-33009 and CVE-2023-33010) in Zyxel gear were likely used to co-opt firewalls into Mirai and MooBot botnets.
– Compromised devices were employed in distributed denial-of-service (DDoS) attacks against companies in the U.S. and Hong Kong.
– Polish and Ukrainian IP addresses showed increased attack attempts against Danish critical infrastructure after exploit codes for vulnerabilities became publicly known.
– Some entities disconnected from the internet and entered “island mode” in response to the attacks.
– Ransomware groups are increasingly targeting the energy sector, with unauthorized access to nuclear energy firms being promoted by initial access brokers (IABs).
– NTC Vulkan, a Moscow-based IT contractor, allegedly supplied offensive cyber tools to Russian intelligence agencies, including Sandworm.
– A connection between NTC Vulkan and a group called Raccoon Security was uncovered, suggesting potential participation in leaked initiatives contracted by the GRU.