In Could, 22 Danish vitality sector organizations had been compromised in an onslaught of assaults partially linked with Russia’s Sandworm APT.
A brand new report from the Danish crucial infrastructure safety nonprofit SektorCERT describes completely different teams of attackers leveraging a number of, crucial vulnerabilities in Zyxel firewall units, together with two zero-days, to achieve into industrial equipment, forcing some targets to “island,” isolating them from the remainder of the nationwide grid.
Some however not all the breaches concerned communications with servers recognized for use by Sandworm, a bunch feared for its many earlier grid assaults.
However it’s not simply state-level APTs focusing on the vitality sector. A latest report from cybersecurity firm Resecurity describes a big uptick in vitality sector assaults by cybercriminal teams, which additionally appeared to play a job within the Denmark assaults.
“Nation-state APTs are the largest threats focusing on vitality, as a result of overseas intelligence businesses will use it as a device of affect on nations’ economic system and nationwide safety,” explains Gene Yoo, CEO of Resecurity. He provides, although, that “cybercriminals additionally play an essential function in it, as usually they purchase low-hanging fruits by compromising staff and operators together with engineers within the provide chain.”
The First Wave
In late April, Zyxel, a communications tools firm, revealed a command injection vulnerability affecting its firewall and VPN system firmware. CVE-2023-28771, which allowed any attacker to craft messages for executing distant, unauthorized OS instructions, was assigned a 9.8 “Vital” CVSS score.
Many organizations concerned in working Denmark’s grid used Zyxel firewalls as a buffer between the Web and industrial management techniques — the techniques controlling reliability — and safety-critical tools. As SektorCERT recalled, “it was a so-called worst case state of affairs.”
The chickens got here residence to roost two weeks later, on Could 11. “The attackers knew prematurely who they wished to hit. Not as soon as did a shot miss the goal,” SektorCERT defined. Some 11 vitality corporations had been compromised instantly, exposing crucial infrastructure to the attackers. At 5 extra organizations, the attackers didn’t efficiently acquire management.
With assist from regulation enforcement into the night time, all 11 compromised corporations had been secured. However then seemingly completely different attackers tried their hand simply 11 days later.
Additional, Extra Subtle Assaults
This time, with the preliminary vulnerability underneath management, the attackers weaponized two zero-days — CVE-2023-33009 and CVE-2023-33010, each 9.8 “Vital” buffer overflow bugs — affecting the exact same firewalls.
They launched assaults towards numerous vitality sector corporations from Could 22 to 25, deploying a number of completely different payloads, together with a DDoS device and the Mirai variant Moobot. SektorCERT assessed “that the attackers tried completely different payloads to see what would work finest, which is why a number of completely different ones had been downloaded.”
Throughout this era, on the recommendation of authorities or just out of a way of cautiousness, a number of targets operated as an “island,” reduce off from the remainder of the nationwide grid.
And in a few of these circumstances, a single community packet was communicated from servers recognized to be related to Sandworm. Russia, notably, had been finishing up different covert operations in Denmark across the similar time. Nonetheless, SektorCERT didn’t present a definitive attribution.
Cybercriminals Getting in on the Motion
Although unprecedented in Denmark, on a world scale, nation-state assaults towards crucial vitality corporations aren’t new.
Yoo remembers that “we have seen a number of focused assaults coming from North Korea and Iran focusing on the nuclear vitality sector, particularly with the objective of buying delicate mental property, and workers info and their entry, in addition to infiltrating into the provision chain.”
However it’s not solely nation-state APTs. By Could 30, per week after the 2 zero-days had been publicized, SektorCERT noticed that “assault makes an attempt towards the Danish crucial infrastructure exploded — particularly from IP addresses in Poland and Ukraine. The place beforehand particular person, chosen corporations had been focused, now everybody was shot with a hail of bullets — together with firewalls that weren’t susceptible.”
“They see the excessive threat and the corresponding excessive reward,” Drew Schmitt, observe lead at GuidePoint Safety, explains of cybercriminal outfits. “As extra teams like Alphv, Lockbit, and others proceed to efficiently assault the vitality sector, extra ransomware teams are noticing the potential acquire of focusing on and impacting these kinds of organizations. Moreover, victims within the vitality sector add a whole lot of ‘avenue cred’ to the teams which are efficiently attacking these organizations and getting away with it.”
As Denmark demonstrated, such assaults are solely stopped when efficient monitoring and protection is paired with partnership between corporations and regulation enforcement. “On the finish of the day, it is a drawback that must be tackled holistically and coordinated between a number of groups and instruments,” Schmitt concludes.