CVE-2023-28771 Exploit Results in Largest Cyber Attack Against Danish  Infrastructure

In a report published in November 2023 by SektorCERT, the cyber security centre for the critical sectors in Denmark, reveals how in May 2023 Danish critical infrastructure was exposed to the most extensive cyber-related attack experienced in Denmark to date.

Coordinated and meticulously executed, the assault targeted 22 companies integral to the country's energy infrastructure, breaching their industrial control systems and forcing several entities into isolation mode.

The reports highlights the attack was of unprecedented scale. The magnitude of the cyber attack against Denmark's critical infrastructure stands unparalleled in prior incidents. The attackers exhibited meticulous planning, accurately targeting predetermined entities with unfailing precision and there is belief of potential state actor involvement in one or more of these sophisticated attacks.

CVE-2023-28771 Exploited by Threat Actors 

The report's attribution of the attacks to Russia's GRU military intelligence agency, infamous for its disruptive cyber assaults, was based on meticulous analysis of digital footprints leading to IP addresses associated with the hacking crew. The breach exploited a critical vulnerability in Zyxel firewalls (CVE-2023-28771), allowing the threat actors to infiltrate and maneuver within the systems.

The assault unfolded in two waves. Initially, 11 companies fell prey to the cyber onslaught, with the attackers leveraging malicious code to survey firewall configurations, strategically planning subsequent moves. The coordinated nature of these attacks indicated extensive planning and resources, enabling the threat actors to exploit the element of surprise by striking simultaneously, rendering traditional information sharing futile.

A second wave, occurring from May 22 to 25, revealed an entirely different attack group deploying previously unseen cyber weaponry. The introduction of these new tools raised speculation about multiple threat actors operating independently or possibly in collaboration.

SektorCERT Played a Pivotal Role in Mitigating the Impact 

SektorCERT, through its sensor network and robust collaborative efforts, played a pivotal role in mitigating the impact of these assaults. Detection via SektorCERT's sensor network, coupled with the expertise of skilled analysts and close cooperation with member organizations, their suppliers, and governmental authorities, prevented potentially catastrophic operational consequences for Denmark's critical infrastructure.

The collaborative efforts and advanced detection mechanisms employed by SektorCERT proved instrumental in thwarting the assailants' intentions, highlighting the vital role of such cybersecurity entities in safeguarding national infrastructure against sophisticated cyber threats.

How to Mitigate the Effect of Critical Infrastructure Attacks 

SektorCERT made a series of recommendations for all companies that operate critical infrastructure. These include:

Service Exposure: It is crucial to prioritize the security of specific services, including VPN, by ensuring that only the necessary services are accessible on the Internet.

Patch Updating: In light of the initial wave of attacks, Zyxel had taken proactive measures by issuing timely warnings about vulnerabilities and providing necessary patches. Therefore, it is imperative to establish robust internal procedures for receiving vulnerability information and ensuring prompt system patching.

Contingency plan: In the event of damage and system compromise, it is vital to have a well-crafted and practiced contingency plan in place to effectively address the situation. In these specific instances, numerous members were required to activate their island operation protocols. A meticulously outlined and rehearsed contingency plan guarantees swift and efficient decision-making, ultimately limiting the extent of the damage.

Log collection: Collecting and analyzing logs is a crucial step in detecting attacks, but sometimes relying solely on your own logs isn't sufficient. To truly identify certain attacks, it's necessary to look at the bigger picture and analyze logs across an entire sector. 

Map network inputs: Several of the members we spoke to in connection with these attacks did not know about the networks that were attacked. It is therefore important to ensure that all network inputs to the OT systems have been mapped. 

For further recommendations view the full SektorCERT report.