In Could, 22 Danish vitality sector organizations have been compromised in an onslaught of assaults partially linked with Russia’s Sandworm APT.
A brand new report from the Danish important infrastructure safety nonprofit SektorCERT describes totally different teams of attackers leveraging a number of, important vulnerabilities in Zyxel firewall gadgets, together with two zero-days, to succeed in into industrial equipment, forcing some targets to “island,” isolating them from the remainder of the nationwide grid.
Some however not the entire breaches concerned communications with servers identified for use by Sandworm, a bunch feared for its many earlier grid assaults.
However it’s not simply state-level APTs concentrating on the vitality sector. A latest report from cybersecurity firm Resecurity describes a big uptick in vitality sector assaults by cybercriminal teams, which additionally appeared to play a job within the Denmark assaults.
“Nation-state APTs are the largest threats concentrating on vitality, as a result of international intelligence businesses will use it as a device of affect on nations’ economic system and nationwide safety,” explains Gene Yoo, CEO of Resecurity. He provides, although, that “cybercriminals additionally play an vital position in it, as usually they purchase low-hanging fruits by compromising staff and operators together with engineers within the provide chain.”
The First Wave
In late April, Zyxel, a communications gear firm, revealed a command injection vulnerability affecting its firewall and VPN machine firmware. CVE-2023-28771, which allowed any attacker to craft messages for executing distant, unauthorized OS instructions, was assigned a 9.8 “Vital” CVSS score.
Many organizations concerned in working Denmark’s grid used Zyxel firewalls as a buffer between the Web and industrial management programs — the programs controlling reliability — and safety-critical gear. As SektorCERT recalled, “it was a so-called worst case situation.”
The chickens got here house to roost two weeks later, on Could 11. “The attackers knew prematurely who they wished to hit. Not as soon as did a shot miss the goal,” SektorCERT defined. Some 11 vitality firms have been compromised instantly, exposing important infrastructure to the attackers. At 5 extra organizations, the attackers didn’t efficiently acquire management.
With assist from regulation enforcement into the evening, all 11 compromised firms have been secured. However then seemingly totally different attackers tried their hand simply 11 days later.
Additional, Extra Subtle Assaults
This time, with the preliminary vulnerability below management, the attackers weaponized two zero-days — CVE-2023-33009 and CVE-2023-33010, each 9.8 “Vital” buffer overflow bugs — affecting the exact same firewalls.
They launched assaults towards varied vitality sector firms from Could 22 to 25, deploying a number of totally different payloads, together with a DDoS device and the Mirai variant Moobot. SektorCERT assessed “that the attackers tried totally different payloads to see what would work greatest, which is why a number of totally different ones have been downloaded.”
Throughout this era, on the recommendation of authorities or just out of a way of cautiousness, a number of targets operated as an “island,” reduce off from the remainder of the nationwide grid.
And in a few of these instances, a single community packet was communicated from servers identified to be related to Sandworm. Russia, notably, had been finishing up different covert operations in Denmark across the identical time. Nonetheless, SektorCERT didn’t present a definitive attribution.
Cybercriminals Getting in on the Motion
Although unprecedented in Denmark, on a worldwide scale, nation-state assaults towards important vitality firms aren’t new.
Yoo recollects that “we have seen a number of focused assaults coming from North Korea and Iran concentrating on the nuclear vitality sector, particularly with the aim of buying delicate mental property, and employees data and their entry, in addition to infiltrating into the provision chain.”
However it’s not solely nation-state APTs. By Could 30, per week after the 2 zero-days have been publicized, SektorCERT noticed that “assault makes an attempt towards the Danish important infrastructure exploded — particularly from IP addresses in Poland and Ukraine. The place beforehand particular person, chosen firms have been focused, now everybody was shot with a hail of bullets — together with firewalls that weren’t susceptible.”
“They see the excessive threat and the corresponding excessive reward,” Drew Schmitt, observe lead at GuidePoint Safety, explains of cybercriminal outfits. “As extra teams like Alphv, Lockbit, and others proceed to efficiently assault the vitality sector, extra ransomware teams are noticing the potential acquire of concentrating on and impacting these kind of organizations. Moreover, victims within the vitality sector add a number of ‘avenue cred’ to the teams which can be efficiently attacking these organizations and getting away with it.”
As Denmark demonstrated, such assaults are solely stopped when efficient monitoring and protection is paired with partnership between firms and regulation enforcement. “On the finish of the day, it is a downside that must be tackled holistically and coordinated between a number of groups and instruments,” Schmitt concludes.