Executive Summary
Denmark recently faced its largest cyberattack on record, targeting its energy infrastructure. The attacks, potentially linked to Russia’s GRU Main Intelligence Directorate, involved 22 companies overseeing various components of Denmark’s energy infrastructure.
This incident is significant due to Denmark’s global leadership in green energy and the high risk of cyber espionage in its energy sector.
The attack was characterised by its meticulous planning and execution, exploiting vulnerabilities in Zyxel firewalls. The nature of the attack and the involvement of sophisticated state-sponsored cybercrime group indicate a serious threat to national security and highlight the need for enhanced cybersecurity measures.
What Happened
In May 2023, Danish energy infrastructure was targeted by a coordinated cyberattack, resulting in the compromise of 22 companies. This attack is considered the largest in Danish history.
SektorCERT, a nonprofit cybersecurity center for critical sectors in Denmark reported that the hackers exploited vulnerabilities in Zyxel firewalls, which are commonly used by Danish energy firms for security purposes. The attackers executed a simultaneous campaign against the targeted companies. As a result, several companies disconnected from the national power network and entered ‘island mode’ to prevent further spread.
The objective of the attack was intelligence gathering. The hackers gained control of the firewall and accessed critical infrastructure. The potential consequences would have been severe if their aim had been operational disruption. More than 100,000 people in Denmark could have been left without electricity or heating for a period.
SektorCERT emphasized the importance of regular firewall updates for companies and highlighted the risks associated with neglecting cybersecurity maintenance. Their analysis revealed that the traffic on breached networks originated from servers associated with Russia’s GRU’s infamous Unit 74455, popularly known as Sandworm.
About the Vulnerability
The core of the attack was the exploitation of zero-day vulnerabilities in Zyxel firewalls, specifically CVE-2023-28771. This vulnerability, with a CVSS score of 9.8, allowed attackers to gain remote access to industrial control systems without authentication.
Zyxel released a patch for the vulnerability on April 25th. However, most companies fell victim because they had not updated their firewalls; some avoided the updates due to installation costs, while others were under the mistaken belief that updates were automatic or vendor-managed.
This oversight highlights the importance of regular software updates and the risks associated with neglecting cybersecurity maintenance.
About Sandworm
Sandworm’s Attacks on Ukraine:
Sandworm has been involved in a series of disruptive and destructive cyberattacks on critical infrastructure in Ukraine.
These attacks include targeting a Ukrainian critical infrastructure organization, causing power outages and coinciding with mass missile strikes on critical infrastructure.
Sandworm has also targeted Ukrainian telecom providers to gain control over infected devices and launched multiple cyber attacks on the Ukrainian National Information Agency “Ukrinform” to cripple their information and communication systems.
Global Impact:
Sandworm’s activities extend beyond Ukraine and have had significant global impact, including:
- NotPetya Cyberattack: Sandworm was responsible for the most expensive cyberattack in history, known as NotPetya. This attack resulted in more than $10 billion in global damages in 2017.
- 2018 Winter Olympics: The group targeted the IT infrastructure of the 2018 Winter Olympics held in South Korea.
These attacks demonstrate Sandworm’s capability to disrupt critical infrastructure, steal sensitive information, and cause widespread economic damage. The group’s activities have raised concerns about its potential to carry out disruptive cyber attacks with global impact.
Takeaways
The Danish cyberattack underscores the importance of cybersecurity vigilance, especially for critical infrastructure. Key takeaways include the necessity of regular software updates, the implementation of segmented networks, and the need for a proactive cybersecurity strategy.
The attack also highlights the threat posed by state actors, emphasising the need for national security measures to protect against cyber espionage. The incident serves as a reminder that cyberattacks can have far-reaching and significant impacts on national infrastructure and security.
- Meta Unveils End-to-End Encryption for Messages and Calls
- [CVSS 10] Critical Apache Vulnerability Exploited in Ransomware Attacks
- Banking Trojan Hits Latin American Customers
- Okta Breach Update: 100% of Customer Base Affected
- Germany Dismisses Russian Involvement in Military Data Leak
- [CVSS 9+] Critical CVE Updates for Microsoft Products