Denmark Faces Largest Cybersecurity Incident to Date

By Sarah Braithwaite on December 8, 2023

Denmark Faces Largest Cybersecurity Incident to Date

Executive Summary:

In November, SektorCERT, a Denmark-based non-profit cybersecurity center for critical sectors, released a publication report detailing a cyberattack on Danish critical infrastructure that happened in May 2023. The coordinated attack targeted 22 companies in the energy industry, resulting in Denmark’s largest cybersecurity incident to date. The attackers, who may be linked to Russia’s GRU military intelligence group Sandworm, exploited zero-day vulnerabilities in Zyxel firewalls, which demonstrated a high level of sophistication and planning. The compromised companies eventually went into island mode to mitigate the spread of impact. This cyber incident highlights the potential vulnerabilities in critical infrastructure and the importance of hardened cybersecurity measures.

Technical Details:

The attackers orchestrated a sophisticated attack by exploiting a known vulnerability, CVE-2023-28771, which is present in Zyxel firewalls. The attackers sent a single crafted data packet to port 500 over UDP, exploiting the vulnerability within the Zyxel device’s Internet Key Exchange (IKE) packet decoder. This action allowed the attackers to gain root privileges and the ability to execute commands directly on the device. The attackers executed the following code on the firewalls: ‘zysh -p 100 -e ’show username’;zysh -p 100 -e ’show running-config’, collecting current usernames and configuration settings. SektorCERT’s report stated that multiple companies were attacked simultaneously, and the attackers showed flawless precision in selecting specific targets (SektorCERT, 2023). The timing of the attack was strategic, targeting companies that had out of date firewalls. The compromised firewalls were then used to act as a part of Mirai and MooBot botnets, launching a distributed denial-of-service (DDoS) attack against U.S. and Hong Kong companies (The Hacker News, 2023). The attackers had knowledge of undisclosed vulnerabilities in the Zyxel firmware to launch this DDoS attack. Zyxel later disclosed the vulnerabilities, CVE-2023-33009 and CVE-2023-33010, a few days after the attack. After the compromise, SektorCERT stated that they had identified a single 1340-byte packet from a known Sandworm IP address, utilizing the “one ping only” method to minimize their digital footprint. After the exploited vulnerabilities became public, it was reported that there was a surge in attacks originating from IP addresses in Poland and Ukraine. The attackers changed their tactics from precision planning to widespread assaults, resulting in affected entities disconnecting themselves from the internet and going into island mode as a safeguarding measure.

Significance:

The attack on Danish critical infrastructure is significant due to the sophistication and knowledge of undisclosed vulnerabilities. The attackers demonstrated a strong understanding of Zyxel devices and firewalls and showcased a high level of precision when it came to selecting targets. Utilizing undisclosed vulnerabilities raises concerns, as it suggests a high level of reconnaissance and planning. The coordinated attack on numerous energy companies simultaneously, with a near perfect precision rate, shows a high level of collaboration and sophistication. The involvement of Sandworm also raises flags about the possibility of future state-sponsored cyber-attacks on critical infrastructure. This event highlights the need for a robust cybersecurity posture, given that adversaries are evolving their strategies. The advancing knowledge and tactics of these adversaries emphasize the importance of continuous enhancements to cybersecurity defenses. Regular updates and patching are critical in cyber defenses, as shown in this event, the attackers were able to exploit a vulnerability in the unpatched firewalls. Additionally, network segmentation can greatly limit the lateral movement of a potential attack within a system. Overall, this attack serves as a reminder of the importance of hardening systems, especially in critical infrastructure. 

Vulnerabilities:

CVE-2023-28771 – Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.

 

CVE-2023-33009 – A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 through 5.36 Patch 1, USG FLEX series firmware versions 4.60 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.60 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.60 through 5.36 Patch 1, VPN series firmware versions 4.60 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.60 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

 

CVE-2023-33010 – A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

References:

 

CVE-2023-28771 Detail. NVM. (2023, April 24).

https://nvd.nist.gov/vuln/detail/CVE-2023-28771

 

CVE-2023-33009 Detail. NVM. (2023, May 24).

https://nvd.nist.gov/vuln/detail/CVE-2023-33009 

 

CVE-2023-33010 Detail. NVM. (2023, May 24).

https://nvd.nist.gov/vuln/detail/CVE-2023-33010

Lakshmanan, R. (2023, June 2). Active Mirai botnet variant exploiting Zyxel devices for ddos attacks. The Hacker News. https://thehackernews.com/2023/06/active-mirai-botnet-variant-exploiting.html

Radauskas, G. (2023, November). Denmark hit with largest cyberattack on record | Cybernews. https://cybernews.com/news/denmark-cyberattack-energy-infrastructure-sandworm/

SektorCERT. (2023, November). Sektorcert.dk. The attack against Danish, CLEAR critical infrastructure. https://sektorcert.dk/wp-content/uploads/2023/11/SektorCERT-The-attack-against-Danish-critical-infrastructure-TLP-CLEAR.pdf 

The Hacker News. (2023, November 16). Russian hackers linked to “largest ever cyber attack” on Danish critical infrastructure. https://thehackernews.com/2023/11/russian-hackers-launch-largest-ever.html#:~:text=Russian%20threat%20actors%20have%20been,were%20targeted%20in%20May%202023