22 electricity companies targeted in May


This spring, Denmark experienced its largest and most significant organized cyberattack to date. Danish cybersecurity non-profit SektorCERT recently revealed a shocking revelation, indicating that 22 energy companies across the country were victims of data breaches in May 2023.

Cyberattacks in Denmark have taken place quietly, escaping public awareness. However, their repercussions have been far-reaching, significantly affecting the operations of various entities, including hotels, banks, supermarkets, etc.

Some energy companies have opted for “island mode” when they detach themselves from the main electricity grid to maintain an uninterrupted electricity supply. In this regard, such magnitude as well as the contemporary threat underline the need for cyber defense to protect vital assets and facilities.

The threat actor behind this campaign is unknown, but researchers suggest that cyber attacks in Denmark were carried out by several groups, including likely the Russian state-sponsored Sandworm hackers, who have already attempted to trigger several power outages in Ukraine.

Cyberattacks in coordinated waves in Denmark

The cyber siege took place in several phases during the month of May, which was rare for an organized attack. However, the identity of the attacker remains unknown and investigations have been carried out into its attribution.

Around 33% of these energy companies has suffered a direct impact on its daily operations due to cyberattacks in Denmark targeting strategic locations and demonstrating a clear understanding of critical infrastructure weaknesses.

The attack was characterized by incredible precision and they managed to penetrate their targets with a degree of effectiveness never seen before. When multiple independent businesses are attacked at the same time, it involves sophisticated preparation in the operation, which should be very worrying.

Exploitation of the Zyxel firewall: a common thread

THE vulnerability Zyxel firewalls have been used by malicious actors as a way to protect important systems in Danish countries. Researchers discovered that the perpetrators used a well-known firewall vulnerability (CVE-2023-28771) to remotely execute malicious code and install malware.

Zyxel released patches for this vulnerability in April, but many devices in critical installations still lacked these updates and the path was left open to cyber intruders.

Unusual tactics and persistent threats

The magnitude of this series of cyberattacks differs greatly, as does the unique approach used by the attackers which makes this incident unique. Fifteen energy companies were targeted in the first wave in early May, while eleven of them ended up exploiting weaknesses in the Zyxel firewall. Fortunately, such a critical infrastructure compromise event became inevitable after attackers took over these companies’ firewalls.

A new front emerged with the second wave of attacks, attackers preyed on weakened infrastructure as part of the notorious Mirai botnet, associated with huge DDoS outbreaks. In this case, sites in the United States and Hong Kong were targeted, demonstrating how global the consequences of a localized cyber breach will be.

Unmasking the culprit: the Russian sandworm

Although doubts remain, there is no concrete evidence of the participation of Russian sandworm in cyberattacks in Denmark. Although it is difficult to attribute these attacks, the researchers highlight how critical infrastructure in Denmark is becoming a target and deny that cyberweapons have not been deployed against national assets.

As the authors argue, “all we can observe now is that it is Danish critical infrastructure that is the subject of special attention and that weaponization is applied against our infrastructure and requires very careful monitoring.” sophisticated analysis and advanced analysis to identify them,” say the researchers.

Urgent call for cyber vigilance

Following these historic cyberattacks in Denmark, the need to strengthen cybersecurity becomes paramount for both sectors and states. It is obvious that organizations must constantly monitor and analyze threats in advance and cooperate with cybersecurity specialists, regulators and the private sector to deal with the problem.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only and users take full responsibility for their reliance on it. The Cyber ​​Express assumes no responsibility for the accuracy or consequences of the use of this information.

Leave a comment