Danish Energy Attacks Portend Targeting More Critical Infrastructure

Targeted attacks against two dozen related companies is just the latest evidence that hackers want a piece of energy.

In May, 22 Danish energy sector organizations were compromised in an onslaught of attacks partially linked with Russias Sandworm APT.
A new report
from the Danish critical infrastructure security nonprofit SektorCERT describes different groups of attackers leveraging multiple, critical vulnerabilities in Zyxel firewall devices, including two zero-days, to reach into industrial machinery, forcing some targets to island, isolating them from the rest of the national grid.
Some but not all of the breaches involved communications with servers known to be used by Sandworm, a group feared for its
many previous grid attacks
.
But its not just state-level APTs targeting the energy sector.
A recent report
from cybersecurity company Resecurity describes a large uptick in energy sector attacks by cybercriminal groups, which also seemed to play a role in the Denmark attacks.
Nation-state APTs are the biggest threats targeting energy, because foreign intelligence agencies will use it as a tool of influence on countries economy and national security, explains Gene Yoo, CEO of Resecurity. He adds, though, that cybercriminals also play an important role in it, as typically they acquire low-hanging fruits by compromising employees and operators including engineers in the supply chain.
In late April, Zyxel, a communications equipment company,
revealed a command injection vulnerability
affecting its firewall and VPN device firmware.
CVE-2023-28771
, which allowed any attacker to craft messages for executing remote, unauthorized OS commands, was assigned a 9.8 Critical CVSS rating.
Many organizations involved in operating Denmarks grid used Zyxel firewalls as a buffer between the Internet and industrial control systems — the systems controlling reliability — and safety-critical equipment. As SektorCERT recalled, it was a so-called worst case scenario.
The chickens came home to roost two weeks later, on May 11. The attackers knew in advance who they wanted to hit. Not once did a shot miss the target, SektorCERT explained. Some 11 energy companies were compromised immediately, exposing critical infrastructure to the attackers. At five more organizations, the attackers did not successfully gain control.
With help from law enforcement into the night, all 11 compromised companies were secured. But then seemingly different attackers tried their hand just 11 days later.
This time, with the initial vulnerability under control, the attackers weaponized two zero-days —
CVE-2023-33009
and
CVE-2023-33010
, both 9.8 Critical buffer overflow bugs — affecting the very same firewalls.
They launched attacks against various energy sector companies from May 22 to 25, deploying multiple different payloads, including a DDoS tool and the Mirai variant Moobot. SektorCERT assessed that the attackers tried different payloads to see what would work best, which is why several different ones were downloaded.
During this period, on the advice of authorities or simply out of a sense of cautiousness, multiple targets operated as an island, cut off from the rest of the national grid.
And in some of these cases, a single network packet was communicated from servers known to be associated with Sandworm. Russia, notably, had been carrying out
other covert operations in Denmark
around the same time. Still, SektorCERT did not provide a definitive attribution.
Though unprecedented in Denmark, on a global scale, nation-state attacks against critical energy companies are not new.
Yoo recalls that weve seen multiple targeted attacks coming from North Korea and Iran targeting the nuclear energy sector, specifically with the goal of acquiring sensitive intellectual property, and staff information and their access, as well as infiltrating into the supply chain.
But its not only nation-state APTs. By May 30, a week after the two zero-days were publicized, SektorCERT observed that attack attempts against the Danish critical infrastructure exploded — especially from IP addresses in Poland and Ukraine. Where previously individual, selected companies were targeted, now everyone was shot with a hail of bullets — including firewalls that were not vulnerable.
They see the high risk and the corresponding high reward, Drew Schmitt, practice lead at GuidePoint Security, explains of cybercriminal outfits. As more groups like
Alphv, Lockbit, and others
continue to successfully attack the energy sector, more ransomware groups are noticing the potential gain of targeting and impacting these types of organizations. Additionally, victims in the energy sector add a lot of street cred to the groups that are successfully attacking these organizations and getting away with it.
As Denmark demonstrated, such attacks are only stopped when effective monitoring and defense is paired with partnership between companies and law enforcement. At the end of the day, this is a problem that needs to be tackled holistically and coordinated between multiple teams and tools, Schmitt concludes.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Danish Energy Attacks Portend Targeting More Critical Infrastructure