Nearly two dozen Danish energy companies hacked through firewall bug in May

Denmark's critical infrastructure experienced the largest cyberattack in the country's history this spring, with 22 energy companies breached in just a few days, according to a new report from one of the country’s top cyber agencies.

The attacks went unnoticed by ordinary Danish citizens but significantly disrupted the operations of the targeted facilities, according to SektorCERT, Denmark's state-funded organization handling cyber incidents in the critical sector.

To ensure a continuous power supply, several targeted energy companies were forced to enter so-called island mode, where they had to disconnect from the main electric grid and operate independently and autonomously. SektorCERT’s specialists assisted targeted companies to resist the attacks.

The threat actor behind the campaign is unknown, but researchers suggest that the attacks were carried out by multiple groups, likely including Russia’s state-sponsored Sandworm hackers, who have previously attempted to trigger several power outages in Ukraine.

The attacks on Denmark’s critical infrastructure occurred in several waves throughout May, with hackers employing different tools and techniques. What they have in common is the abuse of products from the Taiwan-based manufacturer Zyxel, which primarily sells networking hardware.

Zyxel firewalls are extensively used in Denmark to protect critical systems, providing hackers with an opportunity to exploit vulnerabilities in these firewalls and gain access to victims’ infrastructure, researchers said.

Denmark’s largest cyberattack

The attacks on Denmark are ongoing, “but it is unusual that we see so many concurrent, successful attacks against the critical infrastructure,” SektorCERT said.

The attackers knew in advance who they were going to target and “got it right every time,” according to the researchers. There is no clear explanation of how the attackers obtained the information about their targets.

Another unusual aspect of the incident is that many organizations were attacked simultaneously, indicating that hackers coordinated and carefully planned the attack.

During the first wave of attacks in early May, hackers targeted 16 Danish energy companies, successfully compromising 11 of them through a Zyxel firewall vulnerability.

The successful exploitation of this bug, identified as CVE-2023-28771, allows hackers to execute malicious code remotely on the target system to install malware.

Although Zyxel had released patches for this vulnerability in April, many devices installed in Denmark’s critical facilities were left unpatched.

As a result of the first attack, the hackers managed to gain a foothold and control of the energy companies’ firewalls, but they were discovered and stopped before they could exploit access to the critical infrastructure, researchers said.

The second wave began at the end of May and was likely carried out by a different hacker group. Whether the groups worked together or for the same entity is unclear yet, researchers say.

In this attack, the hackers used the targeted infrastructure as part of the Mirai botnet. Mirai has been involved in some of the most disruptive distributed denial-of-service (DDoS) attacks recorded, including a 2016 incident that brought down websites such as Twitter, Reddit, and Netflix.

The hackers exploited access to the firewalls in Denmark to attack targets in the U.S. and Hong Kong before the Danish company cut its internet connection and went into island operation. The attackers likely used two Zyxel zero-days to breach this organization.

The last wave of attacks likely came from the Russian state-backed hacker group Sandworm but had a limited impact, according to SektorCERT. The targeted organizations lost visibility at three remote locations and had to manually handle their operations.

Researchers said that despite the possible Sandworm involvement, there is no evidence to accuse Russia of being behind the attacks.

“The only thing we can ascertain is that Danish critical infrastructure is in the spotlight and that cyber weapons are being used against our infrastructure, which requires careful monitoring and advanced analysis to detect,” they added.