SektorCERT report on Danish Cyber Attack

A new report from the Danish critical infrastructure security nonprofit SektorCERT describes different groups of attackers leveraging multiple, critical vulnerabilities in Zyxel firewall devices, including two zero-days, affecting industrial machinery, and isolated them from the rest of the national grid during the onslaught of attack on Danish energy sector.

During April, Zyxel revealed a critical command injection vulnerability affecting its firewall and VPN device firmware. CVE-2023-28771, which allowed any attacker to craft messages for executing remote, unauthorized OS commands.

Many organizations involved in operating Denmark’s grid used Zyxel firewalls as a buffer between the Internet and industrial control systems — the systems controlling reliability — and safety-critical equipment.

About 11 energy companies were compromised immediately, exposing critical infrastructure to the attackers. At five more organizations, the attackers did not successfully gain control. With help from law enforcement into the night, all 11 compromised companies were secured. But then, seemingly different attackers tried their hand just 11 days later.

With the initial vulnerability under control, the attackers weaponized two critical zero-days — CVE-2023-33009 and CVE-2023-33010,buffer overflow bugs affecting the very same firewalls. They launched attacks against various energy sector companies from May 22 to 25, deploying multiple different payloads, including a DDoS tool and the Mirai variant Moobot. SektorCERT assessed that the attackers tried different payloads to see what would work best, which is why several different ones were downloaded.

During this period, on the advice of authorities or simply out of a sense of cautiousness, multiple targets operated as an island, cut off from the rest of the national grid. In some of these cases, a single network packet was communicated from servers known to be associated with Sandworm. Russia, notably, had been carrying out other covert operations in Denmark around the same time. Still, SektorCERT did not provide a definitive attribution.

By May 30, a week after the two zero-days were publicized, SektorCERT observed that attack attempts against the Danish critical infrastructure exploded — especially from IP addresses in Poland and Ukraine. As Denmark demonstrated, such attacks only stopped when effective monitoring and defense were paired with partnerships between companies and law enforcement.