Infamous Russian nation-state menace actor Sandworm has been linked to the most important ever cyber-attack concentrating on crucial infrastructure in Denmark.
The incident happened in Could 2023 and noticed the attackers focused 22 corporations concerned in working Danish crucial infrastructure, in response to SektorCERT, a non-profit that helps defend organizations on this sector.
SektorCERT discovered proof connecting a few of these assaults to Sandworm, a bunch thought to function below the Russian intelligence company GRU. Sandworm was behind the assaults that took down energy in components of Ukraine in 2015 and 2016.
The group has additionally been blamed for extra recent cyber-attacks on critical infrastructure in Ukraine, which have been coordinated with Russian navy motion within the area.
SektorCERT stated that in its three years of existence, it had by no means beforehand seen indicators that nation-state teams have focused Danish crucial infrastructure.
A Two-Phased Assault Leveraging Zyxel Vulnerabilities
Within the first wave of assaults that started on Could 11, the menace actors exploited the crucial vulnerability CVE-2023-28771 contained in Zyxel firewalls, that are utilized by many Danish crucial infrastructure corporations.
This vulnerability was each comparatively simple to take advantage of and will have main penalties, in response to SektorCERT’s report on the incident. Oncee exploited, attackers have been capable of ship community packets to a Zyxel firewall and acquire full management of it with out realizing authentication info for the machine.
The coordinated assault hit 16 “rigorously chosen targets” amongst Danish power corporations. Of those, 11 have been compromised instantly, with the attackers executing code on the firewalls that induced them at hand their configuration and present usernames over.
The opposite 5 assaults failed because of the instructions not being accomplished.
SektorCERT assembled an emergency incident response workforce that prevented the attackers exploiting the entry they’d gained to the 11 corporations, and probably affecting electrical energy and warmth provides.
A second wave of assaults happened from 22-25 Could, utilizing “never-before-seen cyber weapons.” It’s possible the assaults have been perpetrated by completely different teams, who could have colluded to hold out the assaults.
It’s thought this second wave of assaults exploited two new Zyxel vulnerabilities introduced on Could 24: CVE-2023-33009 and CVE-2023-33010.
“It was notable for these second-wave assaults that the attackers could have had data of vulnerabilities that Zyxel had not but disclosed,” added the report.
All organizations affected by this second wave of assaults have been pressured disconnect from the web and go into “island mode.”
Moreover, the attackers used entry to those firewalls to hold out DDoS assaults towards separate targets, together with within the US and Hong Kong.
As with the primary wave of assaults, the menace actors have been stopped earlier than they have been capable of affect crucial providers.
After the exploit code for among the vulnerabilities turned publicly identified on Could 30, “assault makes an attempt towards Danish crucial infrastructure exploded – particularly from IP addresses in Poland and Ukraine,” the SektorCERT report famous. Nevertheless, by this stage SektorCERT members had patched the vulnerabilities, which means they have been not weak to such assaults.
Subtle Assaults Linked to Sandworm
The report stated it was “exceptional” that so many corporations have been attacked on the similar time, noting that an assault of this nature would require vital planning and sources.
“The attackers knew prematurely who they needed to hit. Not as soon as did a shot miss the goal. All assaults hit precisely the place the vulnerabilities have been,” it learn.
Whereas the attackers took steps to evade detection, SektorCERT analysts traced visitors from among the assaults to IP addresses thought to belong to the Sandworm group.
“Whether or not Sandworm was concerned within the assault can’t be stated with certainty. Particular person indicators of this have been noticed, however we’ve no alternative to neither verify nor deny it,” acknowledged the report.
Commenting on the story, Ted Miracco, CEO, Approov Cell Safety, stated he was not shocked that the assaults have been linked to Sandworm, with power corporations in lots of European nations which have supported Ukraine now main targets of Russian state-linked teams.
“With eyes now turned to the Center East, we may even see much more aggressive and more and more subtle assaults on the Ukraine and its allies, because the Russians maybe see help from the West probably wavering or no less than seeing indicators of fatigue,” he stated.
Miracco added: “One other take away from this incident is the short-sighted determination making that led to crucial infrastructure suppliers not patching a identified zero-day vulnerability within the Zyxel firewalls.”