Notorious Russian nation-state threat actor Sandworm has been linked to the largest ever cyber-attack targeting critical infrastructure in Denmark.
The incident took place in May 2023 and saw the attackers targeted 22 companies involved in operating Danish critical infrastructure, according to SektorCERT, a non-profit that helps protect organizations in this sector.
SektorCERT found evidence connecting some of these attacks to Sandworm, a group thought to operate under the Russian intelligence agency GRU. Sandworm was behind the attacks that took down power in parts of Ukraine in 2015 and 2016.
The group has also been blamed for more recent cyber-attacks on critical infrastructure in Ukraine, which have been coordinated with Russian military action in the region.
SektorCERT said that in its three years of existence, it had never previously seen signs that nation-state groups have targeted Danish critical infrastructure.
A Two-Phased Attack Leveraging Zyxel Vulnerabilities
In the first wave of attacks that began on May 11, the threat actors exploited the critical vulnerability CVE-2023-28771 contained in Zyxel firewalls, which are used by many Danish critical infrastructure companies.
This vulnerability was both relatively easy to exploit and could have major consequences, according to SektorCERT’s report on the incident. Oncee exploited, attackers were able to send network packets to a Zyxel firewall and gain complete control of it without knowing authentication information for the device.
The coordinated attack hit 16 “carefully selected targets” among Danish energy companies. Of these, 11 were compromised immediately, with the attackers executing code on the firewalls that caused them to hand their configuration and current usernames over.
The other five attacks failed due to the commands not being completed.
SektorCERT assembled an emergency incident response team that prevented the attackers exploiting the access they had gained to the 11 companies, and potentially affecting electricity and heat supplies.
A second wave of attacks took place from 22-25 May, using “never-before-seen cyber weapons.” It is likely the attacks were perpetrated by different groups, who may have colluded to carry out the attacks.
No tags.
