This past May, Danish critical infrastructure suffered the most extensive cyber-related attack it ever experienced in Denmark to date.

In all, 22 companies that operate parts of the Danish energy infrastructure ended up compromised in a coordinated attack, according to a report by SektorCERT. The result was the attackers gained access to some of the companies’ industrial control systems and several companies had to go into island mode operation.

SektorCERT is the cybersecurity center for the critical sectors. It is a non-profit organization owned and funded by Danish critical infrastructure companies. It collaborates with Europe’s other CERTs.

In this attack, the threat actors gained access to the infrastructure of 22 companies in a few days and they knew in advance who they were going to target and got it right every time. There are indications a state actor may have been involved in one or more attacks, according to the report.

Operational Consequences
Without SektorCERT’s sensor network to detect the attacks, the attack could have had operational consequences for the Danish infrastructure. SektorCERT runs a sensor network that creates a picture of the threats to the Danish critical infrastructure. It is also can detect attacks against the companies that are part of the sensor network.

Schneider Bold

SektorCERT released a report outlining the timeline on the May attacks.

The entire attack scenario set up on April 25, when Zyxel, which produces firewalls used by multiple SektorCERT’s members, said there was a critical vulnerability in a number of their products. The vulnerability received a score of 9.8 on a scale of 10, which means the vulnerability was relatively easy to exploit and it could have major consequences. The case number for the vulnerability was CVE-2023-28771.

In this specific case, there was a vulnerability which allowed an attacker to send network packets to a Zyxel firewall and gain complete control of the firewall without knowing either usernames or passwords for the device

SektorCERT had previously warned about the importance of patching Zyxel firewalls, but on May 1 officials issued an extraordinary warning to install the latest update. At this time, no attacks had been observed in Denmark, but security experts knew they were coming.

Attacks Start May 11
It all started May 11. There was a coordinated attack against 16 carefully selected targets among Danish energy companies, an attack group attempted to exploit the vulnerability.

The attackers knew in advance who they wanted to hit. Not once did a shot miss the target. All attacks hit exactly where the vulnerabilities were.

It appeared to be an attacker that did not want to make too much noise and wanted to “fly under the radar” and avoid detection if someone was watching the traffic.

The vulnerability itself ended up exploited by sending a single specially crafted data packet to port 500 over the protocol UDP toward a vulnerable Zyxel device.

The packet ended up received by the Internet Key Exchange (IKE) packet decoder on the Zyxel device which was exactly where the vulnerability was. The result was the attacker could execute commands with root privileges directly on the device without authentication. An attack could take place by sending a single packet toward the device. Eleven companies suffered compromise immediately. This means the attackers gained control of the firewall at these companies and thus had access to the critical infrastructure behind it.

The other five did not end up completing the commands. Possibly because the packets had incorrect formatting, resulting in the failed attacks.

For the 11 that suffered compromise, the attackers executed code on the firewall where they were able to learn configurations and current usernames.

SektorCERT said it thinks the attackers used this command as reconnaissance to see the configuration of the firewalls and then choose how the attack should proceed.

Several things about the attack were notable: The first item was the attackers knew exactly who to attack. At this time, information about who had vulnerable devices was not available on public services such as Shodan. Therefore, the attackers had to have obtained information about who had vulnerable firewalls in some other way.

Attackers Were Accurate
SektorCERT said it cannot identify in its data scans prior to the attacks, which could have provided the attackers with the necessary information. There remains no clear explanation of how the attackers had the necessary information, but SektorCERT said it can state that among the 300 members, they did not miss a single shot.

The other remarkable thing, SektorCERTsaid, was so many companies ended up attacked at the same time. This kind of coordination requires planning and resources.

The advantage of attacking simultaneously is the information about one attack cannot spread to the other targets before it is too late, SektorCERT said in the report. This puts the power of information sharing out of play because no one can issue a warning in advance about the ongoing attack since everyone is under attack at the same time. It is unusual – and extremely effective, the report said.

On May 22, the second wave of attacks began. With an attack group possibly armed with new cyber weapons.

Whether the same attack group during this period was preparing for the second wave or other groups came into play, SektorCERT said it did not know.

On May 22 at 2:44 p.m., another alarm went off at SektorCERT. They saw a member was downloading new software for their firewall over an insecure connection. Such an alarm is not in itself necessarily proof the member is under attack. But with the experience of the previous weeks fresh in the memory, it was a clear sign that something was up.

As early as 6:13 p.m., the next attack started with the same modus operandi as earlier in the day. Again, the SektorCERT team worked to help the member out with the attackers and was able to cut off the Internet connection to go into island operation.

Attacks Continue
On May 24 at 7:02 p.m. one of the alarms, SektorCERT said it never expected to see went off.

It is an alarm notifying them of traffic to or from a known APT group.

One of the best and most well-known APT groups is Sandworm. A group which, under the Russian GRU unit, carried out some of the most sophisticated attacks against industrial control systems ever seen. Among other things, Sandworm was behind the destructive attack against Ukraine in 2015 and 2016, where hundreds of thousands of citizens were left without power as a consequence of the cyberattack.

In SektorCERT’s three years of operation, they have never seen signs these APT groups have attacked Danish, critical infrastructure.

What the analysts at SektorCERT had specifically observed was there was traffic to 217.57.80[.]18 on port 10049 over the protocol TCP. And this traffic consisted of one network packet of 1340 bytes and that no response was returned. “One ping only.”

SektorCERT said it had reliable information this IP address belonged to the Sandworm group, which had been using it actively about a year earlier. From other sources, they agreed the group had used that IP address just a few months earlier.

Suspected APT Group
The situation repeated itself May 25 at 1:22 a.m. when a new member suffered an attack. And this time, too, the attackers sent a single packet to another suspected Sandworm server: 70.62.153[.]174 on port 20600 over protocol TCP.

Again, it was a single packet of 1340 bytes. In contrast to the attack at 7:02, this attack had however, major, visible consequences for the member. It was only something SektorCERT became aware of at 11:45 when the member reported they had lost all visibility to three remote locations and the firewall was subsequently completely out of order.

They started manually driving out to all remote locations to handle the manual operation. Since this firewall also functioned as an internal router for the OT network, this meant all internal traffic in the production network also stopped working.

Before the morning was over on May 25, there were two more attacks which did not follow the “recipe” from the previous two. In these new attacks, which came at 7:55 a.m. and 8:22 a.m., different payloads ended up used, which they attempted to retrieve several times. That gave SektorCERT an indication it might be another attacker.

In the attack, there was no communication back to infrastructure that appeared related to Sandworm, which again suggests it was a different attacker or a different grouping from the same attacker.

The attacks were similar, but the last attack at 8:22 a.m. had so much complexity the member chose not to patch his firewall afterward. This resulted in repeated compromises of the member by several different attackers in the following days.

All Bets are Off
After the exploit code for some of the vulnerabilities became publicly known around May 30, attack attempts against the Danish critical infrastructure exploded – especially from IP addresses in Poland and Ukraine.

Where previously individual, selected companies ended up targeted, now everyone was under fire including firewalls that were not vulnerable.

Whether Sandworm was involved in the attack cannot be said with certainty, the report said. There were individual indicators, but SektorCERT has no opportunity to neither confirm nor deny it.

Click here for more on the SektorCERT report.


Pin It on Pinterest

Share This