Inside Denmark’s hell week as critical infrastructure orgs faced cyberattacks
Zyxel zero days and nation-state actors (maybe) had a hand in the sector’s worst cybersecurity event on record
Danish critical infrastructure faced the biggest online attack in the country's history in May, according to SektorCERT, Denmark's specialist organization for the cybersecurity of critical kit.
Detailing the attack waves in a report, it revealed that 22 companies were breached in just a few days. Some were forced to enter island mode operation, where they had to disconnect from the internet and cut any other other non-essential network connections [ref PDF].
In almost all cases unpatched vulnerabilities in Zyxel firewalls meant compromise was possible, and in some the attackers appeared well-resourced, exploiting vulnerabilities that weren't publicly announced (zero days).
The attacks are thought to have been carried out by multiple groups, and at least one was potentially the infamous Sandworm operation nestled in Russia's Chief Intelligence Office (GRU), said the researchers.
As the Zyxel devices weren't visible on public scanning services such as Shodan, SektorCERT believes Danish critical infrastructure was targeted specifically.
Zyxel firewalls are used extensively by the organizations protected by SektorCERT and the vulnerabilities in these, announced in April, which allow remote attackers to gain complete control of the firewall without authentication, were blamed for most of the attacks.
"For many of our members this was a surprise," SektorCERT said in the report [PDF]. "Many believed that because the firewall was relatively new, it must be assumed to have the latest software, while others mistakenly assumed that their vendor was responsible for the updates.
"Other members had deliberately opted out of the updates as there was a cost from the supplier to install them (the software itself is free). Still others simply did not know they had the devices in question in their network. Either because a supplier had installed them without telling them about it or because they did not have an overview of the devices that were connected to their network.
"This benefited the attackers and gave them weeks to carry out the attacks – even after SektorCERT via SektorForum had alerted all members and encouraged them to install the updates."
The first wave of attacks started on May 11, targeting 16 energy organizations, all trying to exploit CVE-2023-28771.
Eleven of the 16 orgs were compromised "immediately" – the other five are thought to have escaped, potentially due to poorly formatted data packets sent to the firewalls, meaning the vulnerability wasn't exploited.
For the compromised 11, SektorCERT believes that this was the original reconnaissance phase of the attack, and likely only sent firewall configurations and credentials back to the attackers.
As the devices weren't available for scanning on services like Shodan, SektorCERT said it's not clear how the attackers were able to identify the vulnerable firewalls.
It also said the coordination in the first wave was "remarkable" – an attack that required planning and large numbers of resources.
After 10 days of silence, the second wave of the attacks began – this time one organization was already compromised but SektorCERT was only alerted after it started downloading firewall updates over an insecure connection (an attacker's operation), rather than at the point of initial compromise.
This turned out to be an attack, believed to be carried out by a different actor, to use the organization's infrastructure as part of the Mirai botnet. The compromise was used to carry out DDoS attacks against two targets in the US and Hong Kong before the organization went into island mode to remediate the compromise.
It was assessed that the attackers "possibly" used two Zyxel firewall zero days to breach this organization. At the time, SektorCERT wasn't aware of how the compromise was initially completed. Zyxel publicized the two firewall-related CVEs two days later, and SektorCERT said it's possible these were known to the attackers beforehand.
- Toyota admits to yet another cloud leak
- Mirai reloads exploit arsenal as botnet embarks on another expansion drive
- DDoS-like attack brought down OpenAI this week, not just its purported popularity
- Critical infrastructure gear is full of flaws, but hey, at least it's certified
Just hours after the first Mirai attack, another was launched, again sending the organization into island mode operation. In this case, the firewall ultimately had to be entirely replaced in order to fully remediate the compromise.
Over the next few days as SektorCERT was forced to work around the clock in some cases, six other organizations were again compromised through their Zyxel firewalls. In one case, the organization didn't even know they had a Zyxel firewall until a thorough investigation revealed a third-party supplier installed one when setting up a camera system.
The final wave of attacks began on May 24 when SektorCERT received an alert that indicated advanced persistent threat (APT) traffic at one organization – the first of its kind ever seen in its three years of operation.
The traffic was linked to an IP address that had previously been used by Sandworm, the Russian GRU cyber unit tied to a range of attacks but perhaps most infamous of all was NotPetya. However, SektorCERT insisted that attribution could not be made with confidence due to the overall lack of evidence.
Very little came of the Sandworm-linked attacks other than one organization losing visibility into three of its remote locations, which had to be manually addressed.
"[The organization's workers] started manually driving out to all remote locations to handle the manual operation," SektorCERT said. "A situation that was handled both professionally and with a bit of good, Danish humor – 'It's good weather to drive in,' as the operational manager stated."
Still, there was no significant material impact on the operation of the country's critical infrastructure. SektorCERT praised its experts' fast responses and those too of the affected organizations.
Going forward, it said that more focus should be placed on what it calls systemic vulnerabilities – those that exist in many organizations and if exploited, could lead to wide consequences for the country.
"Danish, critical infrastructure is under constant cyber attack from foreign actors. Therefore, everyone who runs critical infrastructure should pay extra attention and ensure that the right measures are taken to be able to prevent, detect, and deal with these attacks." ®