SektorCERT reports cyber attack against Danish critical infrastructure, raises concerns of state involvement

Danish critical infrastructure faced a significant cyber attack in May this year, marking the most extensive incident in the country’s history. SektorCERT, a non-profit organization supported by Danish critical infrastructure companies, revealed that 22 companies responsible for operating parts of the Danish energy infrastructure were compromised in a coordinated attack. As a result, the attackers accessed certain companies’ industrial control systems (ICS), leading to the implementation of ‘island mode’ operations for several affected companies. 

“As far as we know, such a large cyber attack against the Danish critical infrastructure has not previously been carried out. The attackers gained access to the infrastructure of 22 companies in a few days,” SektorCERT identified in its latest report. “The attackers knew in advance who they were going to target and got it right every time. There are indications that a state actor may have been involved in one or more attacks.”

Denmark faces a constant threat of attacks on its critical infrastructure. However, the recent surge in simultaneous and effective attacks is a cause for concern, SektorCERT added. “Without SektorCERT’s sensor network to detect the attacks, our skilled analysts as well as close cooperation with our members, their suppliers, and authorities, the attack could have had operational consequences for the Danish infrastructure,” it added. 

The report detailed that on Apr. 25, this year, Zyxel, which produces firewalls used by many of SektorCERT’s members, announced that there was a critical vulnerability in a number of their products. The vulnerability received a score of 9.8 on a scale of 1-10, which means that the vulnerability was both relatively easy to exploit and that it could have major consequences. The reference for the vulnerability was CVE-2023-28771.

“In this specific case, there was a vulnerability which allowed an attacker to send network packets to a Zyxel firewall and gain complete control of the firewall without knowing either usernames or passwords for the device,” according to SektorCERT. “What made the situation extra serious was that it is precisely the firewall that must protect the equipment behind it that was vulnerable. At the same time, we knew that many of our members used these firewalls to protect the industrial control systems. Thus, these units were often all that stood between the attackers and the control of Danish critical infrastructure.”

SektorCERT had previously warned the members about the importance of patching Zyxel firewalls in particular, but on May 1 “we issued an extraordinary warning to install the latest update. At this time, no attacks had been observed in Denmark, but it was clear from our partners in other countries that it was only a matter of time before the attackers would turn their spotlight on Denmark,” it reported. 

In the first wave of attacks on May 11, “in a coordinated attack against 16 carefully selected targets among Danish energy companies, an attack group attempted to exploit the vulnerability CVE-2023-28771. The attackers knew in advance who they wanted to hit,” SektorCERT outlined. “Not once did a shot miss the target. All attacks hit exactly where the vulnerabilities were. Our assessment was that it was an attacker who did not want to make too much noise, but wanted to ’fly under the radar’ and avoid being detected if someone was watching in traffic.” 

It added that the vulnerability itself was exploited by sending a single specially crafted data packet to port 500 over the protocol UDP toward a vulnerable Zyxel device. “The packet was received by the Internet Key Exchange (IKE) packet decoder on the Zyxel device. Precisely in this decoder was the said vulnerability. The result was that the attacker could execute commands with root privileges directly on the device without authentication. An attack that could be performed by sending a single packet towards the device.”

SektorCERT reported that 11 companies were compromised immediately. “This means that the attackers gained control of the firewall at these companies and thus had access to the critical infrastructure behind it. The other 5 did not end up completing the commands. Possibly because the packets sent were incorrectly formatted, resulting in the attacks failing. For the 11 that were compromised, the attackers executed code on the firewall that caused it to hand their configuration and current usernames back to the attackers.”

SektorCERT estimated that the attackers used this command as reconnaissance to see how the respective firewalls were configured and then choose how the further attack should proceed.

Noting several things about this attack, SektorCERT mentioned that the attackers knew exactly who to attack. “At this time, information about who had vulnerable devices was not available on public services such as Shodan. Therefore, the attackers had to have obtained information about who had vulnerable firewalls in some other way. SektorCERT cannot identify in our data scans prior to the attacks, which could have provided the attackers with the necessary information. To this day, there is no clear explanation of how the attackers had the necessary information, but we can state that among the 300 members, they did not miss a single shot.”

“The other remarkable thing was that so many companies were attacked at the same time. This kind of coordination requires planning and resources,” it added. “The advantage of attacking simultaneously is that the information about one attack cannot spread to the other targets before it is too late. This puts the power of information sharing out of play because no one can be warned in advance about the ongoing attack since everyone is attacked at the same time. It is unusual – and extremely effective.”

The SektorCERT team made a crucial decision to handle incidents outside of working hours, despite the lack of staffing in SektorCERT. As a result, throughout the afternoon, evening, and night, the team, along with supportive suppliers and responsive members, successfully secured all 11 compromised energy companies through a significant collective effort. 

During the second wave of attacks starting on May 22, SektorCERT discovered a group using potentially new cyber weapons. Shortly after, an unexpected alarm was triggered, indicating traffic associated with known APT groups. One notable APT group is Sandworm, operating under the Russian GRU unit, known for its highly sophisticated attacks on industrial control systems. Notably, Sandworm was responsible for the destructive cyber attack on Ukraine in 2015 and 2016, resulting in widespread power outages affecting hundreds of thousands of citizens.

“Tucked away among the billions of other network packets SektorCERT received from the sensor network that day, the attackers sent only a single packet back after the compromise,” the report detailed. “One ping only as one of the analysts observed, with reference to the film The Hunt for Red October. It was highly unusual and was in all likelihood a maneuver designed for one thing: to avoid detection. It is roughly equivalent to hiding a grain of sugar in a sandbag. A grain of sugar that we had found and now had to find out why – and how – had been hidden there.”

What the analysts at SektorCERT had specifically observed was that there was traffic to 217[dot]57[dot]80[dot]18 on port 10049 over the protocol TCP. “And that this traffic consisted of one network packet of 1340 bytes and that no response was returned. ’One ping only’. We had reliable information that this IP address belonged to the Sandworm group, which had been using it actively for approx. a year earlier. From other sources, it was validated that the IP address had continued to be used by the group just a few months earlier. It is therefore possible that this was communication back to Sandworm,” the report added.

Whether Sandworm was involved in the attack cannot be said with certainty, SektorCERT cautioned. “Individual indicators of this have been observed, but we have no opportunity to neither confirm nor deny it. A situation which as such is not unusual. Cyber attacks are notoriously difficult to attribute to a specific attacker and often it is small, almost insignificant errors from the attacker that can indicate who the attacker may be. There is therefore no evidence to accuse Russia of being involved in the attack. 

It added that “the only thing we can ascertain is that Danish critical infrastructure is in the spotlight and that cyber weapons are being used against our infrastructure, which requires careful monitoring and advanced analysis to detect. And that the only thing that saved the infrastructure, in this case, was that SektorCERT, in cooperation with the members and suppliers, managed to react quickly so that the attackers could be stopped before their access could be used to damage the critical infrastructure.” 

SektorCERT’s conclusion on the attack is that Denmark’s energy system is highly decentralized with many smaller operators. Attacks against individual operators may not be critical for society. However, there are concerns about systemic vulnerabilities where the same vulnerability exists in multiple companies, creating a potentially critical situation if exploited. This is what happened in this case, and society should focus more on these consequences. SektorCERT monitors data across hundreds of companies to detect attacks on multiple targets simultaneously. This helps ensure the detection and response to future attacks. 

Danish critical infrastructure is constantly under cyber attack from foreign adversaries, so extra attention and measures are necessary. SektorCERT’s detection and response prevented serious consequences in this case. There are indications that state hackers may have been involved, but SektorCERT does not consider geopolitical consequences.

Based on its knowledge of hackers and cybersecurity within critical infrastructure, SektorCERT made a couple of recommendations for companies to implement regarding cybersecurity in critical infrastructure. It is important to only expose necessary services to the Internet, especially those vulnerable to attacks. Zyxel had warned about vulnerabilities and provided patches before the first attack wave. Establishing internal processes for receiving vulnerability information and patching systems is crucial. 

Additionally, having a contingency plan in place for handling damaged and compromised systems is important. Collecting and analyzing logs is necessary for detecting attacks, and looking across an entire sector can be beneficial. Mapping all network inputs to OT systems is essential to ensure awareness of attacked networks. Network segmentation allows for isolating attacks on exposed systems. Identifying all devices on the network is important to prevent unknown entry points for attackers.

Last week, Mandiant researchers said that they responded to a cyber-physical incident where Sandworm targeted a Ukrainian critical infrastructure organization. The incident involved a multi-event cyber attack that impacted ICS/operational technology (OT) using a novel technique. Sandworm initially used OT-level living off the land (LotL) techniques to trip the victim’s substation circuit breakers, causing a power outage coinciding with missile strikes on critical infrastructure in Ukraine. Sandworm later deployed a new variant of CADDYWIPER in the victim’s IT environment for a second disruptive event.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.