This spring, Denmark experienced its most extensive and significant organized cyberattack to date. The Danish Non-Profit Organization for Cybersecurity, SektorCERT, recently disclosed a shocking revelation, indicating that 22 energy firms throughout the country fell victim to data breaches in May 2023.
The cyberattacks in Denmark unfolded discreetly, escaping public awareness. However, their repercussions were substantial, significantly affecting the operations of various entities, including hotels, banks, supermarkets, and more.
Certain companies in the energy sector opted for ‘island mode’ when they detached from the main electric grid to maintain an uninterrupted electricity supply. In this respect, such magnitude as well as contemporary threat highlights the need for a sturdy cyber defense for protecting vital assets and facilities.
The threat actor behind the campaign is unknown, but researchers suggest that the cyberattacks in Denmark were carried out by multiple groups, likely including Russia’s state-sponsored Sandworm hackers, who have previously attempted to trigger several power outages in Ukraine.
Coordinated Waves Cyberattacks in Denmark
The cyber siege happened in multiple phases within the month of May which was uncommon for an organized attack. However, who is attacking remains unknown, and investigations have been made on attribution.
Around 33% of these energy companies suffered a direct impact on their daily operations due to the cyberattacks in Denmark aimed at strategic locations and showing an obvious understanding of critical infrastructure’s weaknesses.
The attack was characterized by unbelievable precision, and they managed to penetrate their targets with a never-before-seen degree of efficiency. When several unrelated businesses are attacked at once, it means some sophisticated preparation is involved in the operation, which should be highly disturbing.
Zyxel Firewall Exploitation: A Common Thread
The vulnerability of the Zyxel firewalls was used by malicious actors as a means to protect important systems in Danish countries. The researchers found out that the perpetrators used a well-known firewall vulnerability (CVE-2023-28771) for remote execution of malicious code and installation of malware.
Zyxel released patches for the vulnerability in April but a lot of devices in critical facilities still lacked these updates and the path was left open for cyber intruders.
Unusual Tactics and Persistent Threats
The scale of this series of cyberattacks differs greatly, as does the unique approach being used by the attackers which makes this incident unique. Fifteen energy companies were targeted during the first wave that occurred in early May, while eleven of these firms ended up exploiting the Zyxel firewall weaknesses. Fortunately, such an event of compromising critical infrastructure became inevitable after attackers acquired hold of these companies’ firewalls.
A new front came with the second wave of attacks, the attackers turned on the weakened infrastructure as a part of the famous Mirai botnet that was associated with huge DDoS outbreaks. In this instance, locations in the U.S. and Hong Kong were targeted, demonstrating how the consequences of a localized cyber breach will be global.
Unmasking the Culprit: Russia’s Sandworm
Although doubts still exist, there is no concrete proof of participation by Sandworm from Russia in the cyberattacks in Denmark. While it is hard to attribute these attacks, researchers highlight how critical infrastructure in Denmark becomes a target and deny the fact that the cyber weapons were not deployed against the national assets.
As the authors argue “All we can observe now is that it is Danish critical infrastructure that comes under attention and weaponization is applied against our infrastructure and needs very sophisticated monitoring and advanced analysis to identify it,” the researchers claim.
Urgent Call for Cyber Vigilance
In the wake of these historical cyberattacks in Denmark, the need for enhanced cyber security becomes paramount for both sectors and states. It is obvious that organizations must constantly monitor, and analyze threats in advance and cooperate with cybersecurity specialists, regulators, and the private sector to cope with the problem.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
