Denmark Energy Organizations Compromised By Hackers
SektorCERT Report Finds Critical Infrastructure Breaches
Overt Operator
November 14, 2023
The non-profit cybersecurity center for critical sectors, SektorCERT, has disclosed that 22 energy organizations in Denmark fell victim to a coordinated cyber attack on the country's critical infrastructure. The attack, which took place in May 2023, marks the largest assault on Danish critical infrastructure to date.
According to SektorCERT's report (PDF), the hackers successfully compromised the targeted organizations within a matter of days:
"Denmark is constantly under attack. But, unusually, we see so many concurrent, successful attacks against the critical infrastructure. The attackers knew in advance who they were going to target and got it right every time," the report states.
The cybercriminals behind the attack exploited multiple vulnerabilities in Zyxel firewalls to gain initial access and eventually gain complete control over the compromised systems.
On May 11, the threat actors focused their attention on 16 Danish energy organizations, taking advantage of the critical OS command execution vulnerability (CVE-2023-28771) in Zyxel's ATP, USG FLEX, VPN, and ZyWALL/USG firewalls.
The successful exploitation of this vulnerability allowed the hackers to execute commands on the vulnerable firewalls, granting them access to device configurations and usernames. Fortunately, all networks were secured by the end of the day, thanks to the swift response from SektorCERT and the victim organizations.
However, the attackers weren't done yet. On May 22, a second wave of attacks occurred, utilizing new tools and exploiting two zero-day vulnerabilities in Zyxel devices. These vulnerabilities, identified as CVE-2023-33009 and CVE-2023-33010, were promptly patched on May 24.
Nevertheless, the attackers proceeded to target multiple Danish energy firms with various payloads and exploits, extending their assault into May 25.
SektorCERT collaborated closely with the affected organizations to apply the available patches and secure the compromised systems. The swift response and collaboration between SektorCERT and the victim organizations played a crucial role in mitigating the impact of the attack.
The Danish authorities are currently investigating the incident, to identify the perpetrators and bring them to justice. The attack serves as a stark reminder of the ongoing threat faced by critical infrastructure sectors worldwide and emphasizes the need for robust cybersecurity measures to safeguard these vital systems.
As the investigation continues, Danish energy organizations and critical infrastructure sectors must remain vigilant, implementing comprehensive security measures to protect against future attacks. The incident highlights the pressing need for continuous monitoring, prompt patching, and employee education to counter the ever-evolving tactics employed by cybercriminals.