Practically two dozen Danish vitality corporations hacked by way of firewall bug in Might

Denmark’s crucial infrastructure skilled the most important cyberattack within the nation’s historical past this spring, with 22 vitality corporations breached in just some days, based on a brand new report from one of many nation’s prime cyber businesses.

The assaults went unnoticed by unusual Danish residents however considerably disrupted the operations of the focused services, based on SektorCERT, Denmark’s state-funded group dealing with cyber incidents within the crucial sector.

To make sure a steady energy provide, a number of focused vitality corporations have been pressured to enter so-called island mode, the place they needed to disconnect from the principle electrical grid and function independently and autonomously. SektorCERT’s specialists assisted focused corporations to withstand the assaults.

The risk actor behind the marketing campaign is unknown, however researchers recommend that the assaults have been carried out by a number of teams, seemingly together with Russia’s state-sponsored Sandworm hackers, who’ve beforehand tried to set off a number of energy outages in Ukraine.

The assaults on Denmark’s crucial infrastructure occurred in a number of waves all through Might, with hackers using totally different instruments and strategies. What they’ve in frequent is the abuse of merchandise from the Taiwan-based producer Zyxel, which primarily sells networking {hardware}.

Zyxel firewalls are extensively utilized in Denmark to guard crucial techniques, offering hackers with a chance to use vulnerabilities in these firewalls and acquire entry to victims’ infrastructure, researchers mentioned.

Denmark’s largest cyberattack

The assaults on Denmark are ongoing, “however it’s uncommon that we see so many concurrent, profitable assaults towards the crucial infrastructure,” SektorCERT mentioned.

The attackers knew upfront who they have been going to focus on and “acquired it proper each time,” based on the researchers. There is no such thing as a clear rationalization of how the attackers obtained the details about their targets.

One other uncommon facet of the incident is that many organizations have been attacked concurrently, indicating that hackers coordinated and punctiliously deliberate the assault.

Throughout the first wave of assaults in early Might, hackers focused 16 Danish vitality corporations, efficiently compromising 11 of them by way of a Zyxel firewall vulnerability.

The profitable exploitation of this bug, recognized as CVE-2023-28771, permits hackers to execute malicious code remotely on the goal system to put in malware.

Though Zyxel had launched patches for this vulnerability in April, many units put in in Denmark’s crucial services have been left unpatched.

On account of the primary assault, the hackers managed to achieve a foothold and management of the vitality corporations’ firewalls, however they have been found and stopped earlier than they might exploit entry to the crucial infrastructure, researchers mentioned.

The second wave started on the finish of Might and was seemingly carried out by a special hacker group. Whether or not the teams labored collectively or for a similar entity is unclear but, researchers say.

On this assault, the hackers used the focused infrastructure as a part of the Mirai botnet. Mirai has been concerned in among the most disruptive distributed denial-of-service (DDoS) assaults recorded, together with a 2016 incident that introduced down web sites reminiscent of Twitter, Reddit, and Netflix.

The hackers exploited entry to the firewalls in Denmark to assault targets within the U.S. and Hong Kong earlier than the Danish firm lower its web connection and went into island operation. The attackers seemingly used two Zyxel zero-days to breach this group.

The final wave of assaults seemingly got here from the Russian state-backed hacker group Sandworm however had a restricted affect, based on SektorCERT. The focused organizations misplaced visibility at three distant places and needed to manually deal with their operations.

Researchers mentioned that regardless of the potential Sandworm involvement, there isn’t any proof to accuse Russia of being behind the assaults.

“The one factor we will confirm is that Danish crucial infrastructure is within the highlight and that cyber weapons are getting used towards our infrastructure, which requires cautious monitoring and superior evaluation to detect,” they added.