A report by SektorCERT, a non-profit cyber security research centre for CNI in Denmark has revealed that in May of 2023, the country underwent the largest cyber security attack it had ever seen.
The report reveals that 22 companies, all of whom are linked to the management of the countries energy infrastructure were compromised by hackers believed to be part of the Russian GRU.
Vulnerability exploitation
Infiltration was achieved via weaknesses in the Zyxel firewalls used by the companies. Several of the affected companies opted out of the software update because there was a charge for installation, whilst some companies mistakenly assumed the firewalls already featured the latest updates, and others wrongly believed the vendor was responsible for implementing the updates.
The firewall vulnerabilities were initially reported in April and are tracked as CVE-2023-28771, allow attackers to gain remote access to industrial control systems without authentication.
The report states that 11 companies were immediately compromised after the vulnerability data was published allowing the attackers to gain control of the firewall and access the critical infrastructure behind it.
The attacks began on May 11, followed by 10 days of inactivity. A second wave of attacks began on May 22 when SektorCERT received an alert that one of its members had downloaded new firewall software over an insecure connection.
Several of the breached companies avoided causing any significant impact on the Danish energy system by disconnecting from the local or national power networks which isolated their systems and prevented the potential spread of the attack across the broader Danish energy system.
The report described the purpose of the attacks as intelligence gathering and said the attackers had executed code on the firewall that caused it to send back usernames and configuration details which the attackers then used to alter their further network intrusions.
