On May 11 and 22, two waves of coordinated attacks against 22 energy organizations amounted to the largest coordinated attack against Danish critical infrastructure to date. The hackers exploited multiple vulnerabilities in Zyxel firewalls to establish initial access and executed commands to obtain device configurations and usernames.
- On May 11, the threat actor targeted 16 of the critical infrastructure organizations and leveraged CVE-2020-28771 for initial access. This vulnerability is a critical OS command execution bug in Zyxel’s ATP, USG FLEX, VPN, and ZyWall/USG firewalls. Security researchers first discovered in bug in April.
- On May 22, the threat actor targeted the final 6 critical infrastructure organizations and leveraged CVE-2023-33009 and CVE-2023-33010. After establishing initial access, the hackers deployed various payloads and exploits not seen during the first wave of attacks. Zyxel patched both bugs on May 25.
- SektorCERT, the cybersecurity company that first discovered the incident, stated at least one of the attacks displayed activity associated with Sandworm. This APT actor is Russian state-sponsored and linked to Russia’s GRU military intelligence agency.