Russian threat actors have been possibly linked to what’s been described as the “largest cyber attack against Danish critical infrastructure,” in which 22 companies associated with the operation of the country’s energy sector were targeted in May 2023.
“22 simultaneous, successful cyberattacks against Danish critical infrastructure are not commonplace,” Denmark’s SektorCERT said [PDF]. “The attackers knew in advance who they were going to target and got it right every time. Not once did a shot miss the target.”
The agency said it found evidence connecting one or more attacks to Russia’s GRU military intelligence agency, which is also tracked under the name Sandworm and has a track record of orchestrating disruptive cyber assaults on industrial control systems. This assessment is based on artifacts communicating with IP addresses that have been traced to the hacking crew.
The unprecedented and coordinated cyber attacks took place on May 11 by exploiting CVE-2023-28771 (CVSS score: 9.8), a critical command injection flaw impacting Zyxel firewalls that was disclosed in late April 2023.
On the 11 companies that were successfully infiltrated, the threat actors executed malicious code to conduct reconnaissance of the firewall configurations and determine the next course of action.
“This kind of coordination requires planning and resources,” SektorCERT said in a detailed timeline of events. “The advantage of attacking simultaneously is that the information about one attack cannot spread to the other targets before it is too late.”
“This puts the power of information sharing out of play because no one can be warned in advance about the ongoing attack since everyone is attacked at the same time. It is unusual – and extremely effective.”
A second wave of attacks targeting more organizations was subsequently recorded from May 22 to 25 by an attack group with previously unseen cyber weapons, raising the possibility that two different threat actors were involved in the campaign.
That said, it’s currently unclear if the groups collaborated with each other, worked for the same employer, or were acting independently.
These attacks are suspected to have weaponized two more critical bugs in Zyxel gear (CVE-2023-33009 and CVE-2023-33010, CVSS scores: 9.8) as zero-days to co-opt the firewalls into Mirai and MooBot botnets, given that patches for them were released by the company on May 24, 2023.
The compromised devices, in some cases, were used to conduct distributed denial-of-service (DDoS) attacks against unnamed companies in the U.S. and Hong Kong.
“After the exploit code for some of the vulnerabilities became publicly known around 30/5, attack attempts against the Danish critical infrastructure exploded – especially from IP addresses in Poland and Ukraine,” SektorCERT explained.
The onslaught of attacks prompted the affected entities to disconnect from the internet and go into island mode, the agency further added.
But it’s not only nation-state actors. The energy sector is also increasingly becoming a focus for ransomware groups, with initial access brokers (IABs) actively promoting unauthorized access to nuclear energy firms, according to a report from Resecurity earlier this week.
The development comes as Censys discovered six hosts belonging to NTC Vulkan, a Moscow-based IT contractor that’s alleged to have supplied offensive cyber tools to Russian intelligence agencies, including Sandworm.
Furthermore, the research uncovered a connection to a group called Raccoon Security via an NTC Vulkan certificate.
“Racoon Security is a brand of NTC Vulkan and that it is possible that Raccoon Security’s activities include either previous or current participation in the previously-mentioned leaked initiatives contracted by the GRU,” Matt Lembright, director of Federal Applications at Censys, said.