Notorious Russian nation-state threat actor Sandworm has been linked to the largest ever cyber-attack targeting critical infrastructure in Denmark.
The incident took place in May 2023 and saw the attackers targeted 22 companies involved in operating Danish critical infrastructure, according to SektorCERT, a non-profit that helps protect organizations in this sector.
SektorCERT found evidence connecting some of these attacks to Sandworm, a group thought to operate under the Russian intelligence agency GRU. Sandworm was behind the attacks that took down power in parts of Ukraine in 2015 and 2016.
The group has also been blamed for more recent cyber-attacks on critical infrastructure in Ukraine, which have been coordinated with Russian military action in the region.
SektorCERT said that in its three years of existence, it had never previously seen signs that nation-state groups have targeted Danish critical infrastructure.
A Two-Phased Attack Leveraging Zyxel Vulnerabilities
In the first wave of attacks that began on May 11, the threat actors exploited the critical vulnerability CVE-2023-28771 contained in Zyxel firewalls, which are used by many Danish critical infrastructure companies.
This vulnerability was both relatively easy to exploit and could have major consequences, according to SektorCERT’s report on the incident. Oncee exploited, attackers were able to send network packets to a Zyxel firewall and gain complete control of it without knowing authentication information for the device.
The coordinated attack hit 16 “carefully selected targets” among Danish energy companies. Of these, 11 were compromised immediately, with the attackers executing code on the firewalls that caused them to hand their configuration and current usernames over.
The other five attacks failed due to the commands not being completed.
SektorCERT assembled an emergency incident response team that prevented the attackers exploiting the access they had gained to the 11 companies, and potentially affecting electricity and heat supplies.
A second wave of attacks took place from 22-25 May, using “never-before-seen cyber weapons.” It is likely the attacks were perpetrated by different groups, who may have colluded to carry out the attacks.
"Not once did a shot miss the target. All attacks hit exactly where the vulnerabilities were”
It is thought this second wave of attacks exploited two new Zyxel vulnerabilities announced on May 24: CVE-2023-33009 and CVE-2023-33010.
“It was notable for these second-wave attacks that the attackers may have had knowledge of vulnerabilities that Zyxel had not yet disclosed,” added the report.
All organizations affected by this second wave of attacks were forced disconnect from the internet and go into “island mode.”
Additionally, the attackers used access to these firewalls to carry out DDoS attacks against separate targets, including in the US and Hong Kong.
As with the first wave of attacks, the threat actors were stopped before they were able to impact critical services.
After the exploit code for some of the vulnerabilities became publicly known on May 30, “attack attempts against Danish critical infrastructure exploded – especially from IP addresses in Poland and Ukraine,” the SektorCERT report noted. However, by this stage SektorCERT members had patched the vulnerabilities, meaning they were no longer vulnerable to such attacks.
Sophisticated Attacks Linked to Sandworm
The report said it was “remarkable” that so many companies were attacked at the same time, noting that an attack of this nature would require significant planning and resources.
“The attackers knew in advance who they wanted to hit. Not once did a shot miss the target. All attacks hit exactly where the vulnerabilities were,” it read.
While the attackers took steps to evade detection, SektorCERT analysts traced traffic from some of the attacks to IP addresses thought to belong to the Sandworm group.
“Whether Sandworm was involved in the attack cannot be said with certainty. Individual indicators of this have been observed, but we have no opportunity to neither confirm nor deny it,” stated the report.
Commenting on the story, Ted Miracco, CEO, Approov Mobile Security, said he was not surprised that the attacks were linked to Sandworm, with energy companies in many European countries that have supported Ukraine now major targets of Russian state-linked groups.
“With eyes now turned to the Middle East, we may see even more aggressive and increasingly sophisticated attacks on the Ukraine and its allies, as the Russians perhaps see support from the West potentially wavering or at least seeing signs of fatigue,” he said.
Miracco added: “Another take away from this incident is the short-sighted decision making that led to critical infrastructure providers not patching a known zero-day vulnerability in the Zyxel firewalls.”