Hackers potentially linked to the Russian GRU Main Intelligence Directorate carried out a series of highly coordinated cyberattacks targeting Danish critical infrastructure in the nation's largest cyber incident on record, according to a new report.
SektorCERT, a nonprofit cybersecurity center for critical sectors in Denmark, reported that attackers gained access to the systems of 22 companies overseeing various components of Danish energy infrastructure in May. The report published Sunday says hackers exploited zero-day vulnerabilities in Zyxel firewalls, which many Danish critical infrastructure operators use to protect their networks.
Most of the attacks were possible because the companies had not updated their firewalls, said SektorCERT. It said several companies opted out of the software update because there was a charge for installation. Some companies mistakenly assumed the relatively new Zyxel firewalls already featured the latest updates, and others wrongly believed the vendor was responsible for implementing the updates.
The firewall vulnerabilities, initially reported in April and tracked as CVE-2023-28771, allow attackers to gain remote access to industrial control systems without authentication. SektorCERT described the cyberattack as "remarkable" for its meticulous planning and coordination, saying that the threat actors demonstrated an ability to identify companies with vulnerable devices and orchestrate a simultaneous campaign against the targeted firms.
"To this day, there is no clear explanation of how the attackers had the necessary information, but we can state that among the 300 members, they did not miss a single shot," the report said.
Eleven companies were "immediately" compromised, according to the report, allowing the attackers to gain control of the firewall and access the critical infrastructure behind it. SektorCERT said the simultaneous attack prevented the energy companies from warning others in advance "since everyone is attacked at the same time."
The report described the purpose of the cyberattack as intelligence gathering and said attackers had executed code on the firewall that caused it to send back usernames and configuration details. SektorCERT said it "estimated that the attackers used this command as reconnaissance to see how the respective firewalls were configured and then choose how the further attack should proceed."
The attacks began on May 11, followed by 10 days of inactivity. A second wave of attacks began on May 22 when SektorCERT received an alert that one of its members had downloaded new firewall software over an insecure connection. It remains unclear what nation-state actors or specific cybercriminal organizations are behind the attacks, as well as whether or not multiple groups were involved in the series of cyber incidents targeting Danish critical infrastructure.
SektorCERT's analysis indicated traffic on breached networks came from servers associated with a unit of Russian military hackers popularly known as Sandworm. Sandworm, also known as Seashell Blizzard and Voodoo Bear, has notoriously attacked critical infrastructure operations in Ukraine as Russia carries out its war of conquest. A report published earlier this month said the hacking group had used novel techniques to conduct a targeted attack on a Ukrainian power substation.
Several of the breached companies avoided causing any significant impact on the Danish energy system by disconnecting from the local or national power networks and entering island mode operation, which isolated their systems and prevented the potential spread of the attack across the broader Danish energy system.
SektorCERT urged companies to set up segmented networks to avoid enterprisewide breaches and ensure all network inputs to operational technology systems have been mapped.