[German]In May 2023, there were probably two waves of cyberattacks on critical infrastructure (KRITIS) in Denmark, as has only now become known. In a report published by SektorCERT, the whole thing is described as the largest known cyberattack on Danish critical infrastructure. In the two waves of attacks, 22 energy companies from Denmark were compromised. The focus was on vulnerabilities in Zyxel devices (firewalls), some of which could be exploited as 0-day.
I had seen the topic a few days ago in the following tweet by Manuel Atug – the attac is described in this Danish investigation report (PDF).
The key messages from the 32-page report can be boiled down to a few points. May 2023 saw the largest cyberattack on critical Danish infrastructure in the energy sector. The report blames suspected state sponsored Russian threat actors for the waves of attacks, which affected 22 companies.
Denmark's SektorCERT writes that "22 simultaneous attacks on critical Danish energy suppliers, which were also successful, are not an everyday occurrence". "The attackers knew in advance who they wanted to target and were right every time. Not once did a shot miss its target." Denmark's SektorCERT claims to have evidence linking one or more attacks to the Russian military intelligence service GRU (Sandworm). This is based on artifacts communicating with IP addresses that could be assigned to the hacker group.
At the beginning of the chain were probably two critical vulnerabilities (CVE-2023-33009 and CVE-2023-33010, CVSS scores: 9.8) in Zyxel devices. In my blog post Critical security update (May 24, 2023) for all Zyxel firewall products – attacks in the wild from May 25, 2023, it was already clear that attacks on these devices are underway. The vulnerabilities allowed unauthenticated attackers to execute DoS conditions and even remote code execution on some Zyxel firewall versions.
Coordinated cyberattacks via the vulnerability CVE-2023-28771, a critical command injection flaw (CVSS score: 9.8) in Zyxel firewalls, had already taken place on 11 May. The vulnerability was publicly disclosed at the end of April 2023. The report also suspects that other vulnerabilities (CVE-2023-33009 and CVE-2023-33010) were used as 0-days to integrate the Zyxel firewalls into Mirai and MooBot botnets. This is also inferred from the fact that some devices were used for distributed denial of service (DDoS) attacks against unnamed companies in the US and Hong Kong.
After the exploit code for some of the vulnerabilities became public around May 30, the attack attempts against the critical Danish infrastructure exploded – especially from IP addresses in Poland and Ukraine," the SektorCERT report states. The onslaught of attacks caused the affected facilities to disconnect from the Internet and go into island mode.
According to the report, malicious code was executed by the attackers at 11 of the compromised companies. The aim was to explore the firewall configurations and determine how to proceed. The SectorCERT report notes that this type of coordination requires planning and resources. The simultaneous attack on the large number of targets gave the attackers an advantage, as there was no exchange of information between the victims. There was therefore no prior warning, which is unusual on the one hand, but extremely effective on the other.
The second wave of attacks against KRITIS companies then took place between May 22 and 25, 2023. Previously unknown tools were used for the cyberattacks, leading the SektorCERT report to assume that two different threat actors were involved in the campaign. It is unclear whether the groups acted independently of each other or were coordinated. The many details can be found in the Danish investigation report (PDF).
