In May, Danish critical infrastructure experienced the largest online attack ever recorded in the country, according to the findings of SektorCERT, Denmark's cybersecurity specialist organization. The report released by SektorCERT revealed that a total of 22 companies fell victim to the attack waves within a short span of time. As a result, some of the targeted organizations were forced to enter "island mode" operation, disconnecting from the internet and severing non-essential network connections.

The report highlighted that the majority of the breaches occurred due to unpatched vulnerabilities in Zyxel firewalls, making compromise possible. Some of the attacks were carried out by well-resourced groups, taking advantage of vulnerabilities that had not been publicly disclosed (known as "zero days"). Notably, the researchers investigating the incident suggested that at least one group may be linked to the notorious Sandworm operation, affiliated with Russia's Chief Intelligence Office (GRU).

SektorCERT emphasized that the specific targeting of Danish critical infrastructure might be attributed to the fact that Zyxel devices were not visible on public scanning services such as Shodan. This increased the chances of the country's infrastructure being specifically singled out for the attack.

The vulnerabilities in the Zyxel firewalls, which were revealed in April, enabled remote attackers to gain complete control of the firewall without authentication, resulting in them being exploited in a majority of the attacks. SektorCERT's report stated that several organizations were caught off-guard by the attacks, either due to assumptions that the relatively new firewall would have the latest software or misguided belief that their vendor was responsible for updates.

Furthermore, SektorCERT discovered that some members deliberately opted out of the updates due to associated costs from the supplier, while others were unaware of the Zyxel devices present in their network. This lack of awareness provided the attackers with weeks of opportunity to execute their attacks, even after SektorCERT issued an alert and urged the installation of updates through SektorForum.

The initial wave of attacks began on May 11, targeting 16 energy organizations, with all attempting to exploit the CVE-2023-28771 vulnerability. Out of these 16 organizations, 11 were immediately compromised, while the remaining five potentially escaped due to poorly formatted data packets sent to the firewalls, preventing the vulnerability from being exploited.

Experts believe that this initial compromise phase served as a reconnaissance mission, with the attackers likely collecting firewall configurations and credentials. Since the Zyxel devices were not detectable on scanning services like Shodan, it remains unclear how the attackers managed to identify the vulnerable firewalls.

After a period of 10 days without any activity, a second wave of attacks commenced. During this phase, it was discovered that one organization had already been compromised when SektorCERT received an alert that the organization was downloading firewall updates over an insecure connection. This attack, attributed to a different actor, aimed to utilize the compromised infrastructure as part of the Mirai botnet. The compromise facilitated DDoS attacks against targets in the United States and Hong Kong before the organization implemented isolation measures to mitigate the breach.

At the time, SektorCERT was unaware of the initial compromise method. Two days later, Zyxel published two firewall-related CVEs, leading SektorCERT to speculate that the attackers may have known about these vulnerabilities beforehand, indicating their possible involvement in the breach.

The Danish cyberattack serves as a stark reminder of the critical need for robust cybersecurity measures and timely software updates to safeguard vital infrastructure systems against evolving threats. Authorities and organizations must remain vigilant and proactive in defending against such attacks to ensure the integrity and security of national critical infrastructure.