As winter approaches, the nightmare of French information system security managers in the energy sector has (almost) become a reality in Denmark. Sektor-Cert, the Danish incident response center dedicated to critical infrastructures, has just deplored “the largest cyberattack ever observed against critical infrastructures”.
“If we had not discovered and stopped the attack in time, the consequences could have been serious for the electricity supply in Denmark,” summarizes Søren Maigaard-Tobiasen, the spokesperson for this association bringing together Danish companies in the critical infrastructure sector.
22 companies affected
Unveiled in the fall, this coordinated computer attack, detailed in a 32-page report, affected a total of 22 Danish companies during the month of May. It all started a few weeks after the announcement of a particularly critical vulnerability in firewalls from the Taiwanese manufacturer Zyxel, at the end of April.
Sixteen Danish companies are then targeted by an attacker using this flaw. The latter operates by sending a data packet on port 500, via the UDP protocol, to the vulnerable Zyxel terminal. The offensive succeeded on eleven targets, the failure being attributed in the other five cases to a problem of methodology.
“They knew exactly where to strike, while information on vulnerable terminals was not available on services like Shodan,” observe the Sektor-Cert experts. This is proof, they assess, that the attacker was well informed and that he was trying to remain very discreet by avoiding making too much noise on the network.
Coordinated attack
As the association also points out, the fact that so many companies in the same sector are attacked at the same time is quite remarkable. This kind of coordination “requires planning and resources,” she recalls. A very effective method of operation: a first victim does not have time to warn their peers of a new malicious campaign.
This first coordinated attack, however, fell through thanks to the rapid response of the IT security services of the targeted companies. But on May 22, Sektor-Cert this time noticed the hijacking of a firewall by the Mirai botnet, after the initial compromise of the terminal. It will then be used as part of two denial of service attacks against two targets in the United States and Hong Kong.
“This could indicate that one or more attackers” were already aware of the two new vulnerabilities, which will finally be identified and reported by Zyxel on May 24, underlines Sektor-Cert. Several companies will be attacked again in the following days via their equipment manufacturer’s firewalls.
Sandworm traces
One of the latest malicious actions detected was linked to the state hacker group Sandworm, the Danes said. The latter spotted the use of servers and IP addresses linked to this group, suspected by the Americans of being the emanation of a Russian intelligence service, the GRU. He is notably accused of having been behind the Macron Leaks or the hack of the PyeongChang Olympic Games.
The Danes, however, remain cautious about Sandworm’s possible involvement in the malicious campaign, due to lack of additional information. The European energy sector has been particularly under pressure since the start of the Russian invasion of Ukraine in February 2022. Anssi had also reported at the start of the year, during its annual press conference, that she was monitoring this area.