Danish Energy Attacks Portend Targeting More Critical Infrastructure

In May, 22 Danish energy sector organizations were compromised in an onslaught of attacks partially linked with Russia’s Sandworm APT.

A new report from the Danish critical infrastructure security nonprofit SektorCERT describes different groups of attackers leveraging multiple, critical vulnerabilities in Zyxel firewall devices, including two zero-days, to reach into industrial machinery, forcing some targets to “island,” isolating them from the rest of the national grid.

Some but not all of the breaches involved communications with servers known to be used by Sandworm, a group feared for its many previous grid attacks.

But it’s not just state-level APTs targeting the energy sector. A recent report from cybersecurity company Resecurity describes a large uptick in energy sector attacks by cybercriminal groups, which also seemed to play a role in the Denmark attacks.

“Nation-state APTs are the biggest threats targeting energy, because foreign intelligence agencies will use it as a tool of influence on countries’ economy and national security,” explains Gene Yoo, CEO of Resecurity. He adds, though, that “cybercriminals also play an important role in it, as typically they acquire low-hanging fruits by compromising employees and operators including engineers in the supply chain.”

The First Wave

In late April, Zyxel, a communications equipment company, revealed a command injection vulnerability affecting its firewall and VPN device firmware. CVE-2023-28771, which allowed any attacker to craft messages for executing remote, unauthorized OS commands, was assigned a 9.8 “Critical” CVSS rating.

Many organizations involved in operating Denmark’s grid used Zyxel firewalls as a buffer between the Internet and industrial control systems — the systems controlling reliability — and safety-critical equipment. As SektorCERT recalled, “it was a so-called worst case scenario.”

The chickens came home to roost two weeks later, on May 11. “The attackers knew in advance who they wanted to hit. Not once did a shot miss the target,” SektorCERT explained. Some 11 energy companies were compromised immediately, exposing critical infrastructure to the attackers. At five more organizations, the attackers did not successfully gain control.

With help from law enforcement into the night, all 11 compromised companies were secured. But then seemingly different attackers tried their hand just 11 days later.

Further, More Sophisticated Attacks

This time, with the initial vulnerability under control, the attackers weaponized two zero-days — CVE-2023-33009 and CVE-2023-33010, both 9.8 “Critical” buffer overflow bugs — affecting the very same firewalls.

They launched attacks against various energy sector companies from May 22 to 25, deploying multiple different payloads, including a DDoS tool and the Mirai variant Moobot. SektorCERT assessed “that the attackers tried different payloads to see what would work best, which is why several different ones were downloaded.”

During this period, on the advice of authorities or simply out of a sense of cautiousness, multiple targets operated as an “island,” cut off from the rest of the national grid.

And in some of these cases, a single network packet was communicated from servers known to be associated with Sandworm. Russia, notably, had been carrying out other covert operations in Denmark around the same time. Still, SektorCERT did not provide a definitive attribution.

Cybercriminals Getting in on the Action

Though unprecedented in Denmark, on a global scale, nation-state attacks against critical energy companies are not new.

Yoo recalls that “we’ve seen multiple targeted attacks coming from North Korea and Iran targeting the nuclear energy sector, specifically with the goal of acquiring sensitive intellectual property, and staff information and their access, as well as infiltrating into the supply chain.”

But it’s not only nation-state APTs. By May 30, a week after the two zero-days were publicized, SektorCERT observed that “attack attempts against the Danish critical infrastructure exploded — especially from IP addresses in Poland and Ukraine. Where previously individual, selected companies were targeted, now everyone was shot with a hail of bullets — including firewalls that were not vulnerable.”

“They see the high risk and the corresponding high reward,” Drew Schmitt, practice lead at GuidePoint Security, explains of cybercriminal outfits. “As more groups like Alphv, Lockbit, and others continue to successfully attack the energy sector, more ransomware groups are noticing the potential gain of targeting and impacting these types of organizations. Additionally, victims in the energy sector add a lot of ‘street cred’ to the groups that are successfully attacking these organizations and getting away with it.”

As Denmark demonstrated, such attacks are only stopped when effective monitoring and defense is paired with partnership between companies and law enforcement. “At the end of the day, this is a problem that needs to be tackled holistically and coordinated between multiple teams and tools,” Schmitt concludes.