An IT defense non-profit funded by Denmark’s critical infrastructure companies has revealed that the country’s energy infrastructure was bombarded by cyber attacks in May of this year, most tied to known Zyxel vulnerabilities and likely perpetrated by multiple groups including Russian intelligence.
The organization revealed that the cyber attacks were a problem primarily due to members refusing to install updates that patched out firewall vulnerabilities, for a variety of reasons (very few of them good). 16 energy infrastructure companies were targeted and 11 were compromised immediately, the other five only apparently dodging a breach because the attackers were sloppy in their technique.
Energy infrastructure experienced historic level of attacks
The information on the energy infrastructure attacks comes from SektorCERT, an organization that the country’s critical infrastructure companies have formed to handle cyber defense. 22 of the companies that SektorCERT works with were breached over a period of about three weeks, primarily due to the organizations having vulnerable brands of Zyxel firewalls in place as a standard defensive measure.
The breaches followed on from vulnerabilities disclosed in April, primarily CVE-2023-28771. However, the energy infrastructure devices were not visible to the scanning tools (such as Shodan) that hackers usually make use of in the wake of public vulnerability disclosures. That, along with certain tools and zero-days used in the attacks, leads SektorCERT to believe that advanced persistent threat groups backed by nation-states were responsible. The report specifically names Russia’s Sandworm group, a highly advanced team known to be a direct part of the GRU, as one of the suspects. “Multiple” groups were reportedly involved, however, and some were not as successful as others.
Dr. Ilia Kolochenko, Founder of ImmuniWeb, notes that being a suspect is not the same as a confirmation: “Attribution of attacks targeting critical infrastructure remains a highly complex, multifaceted and uncertain task. Sophisticated threat actors may purposely frame each other, as well as known hacking groups, hacktivists or even some notorious nation states. At the same time, the abundance of vulnerable devices and servers with publicly known and exploitable-in-default-configuration vulnerabilities greatly facilitate such attacks. Worse, countless bots may automatically exploit some simple vulnerabilities, creating a lot of noise in logs and making investigation a time-consuming task. Moreover, some devices have limited storage capabilities and older logs are simply unavailable. With the upcoming implementation of NIS 2 directive, the situation shall become slightly better but European governments will be required to allocate significantly more money to the protection of national infrastructure from cyber attacks.”
The Zyxel firewall vulnerabilities essentially allowed attackers to walk right in and take complete control, but patches accompanied their public disclosure in April. SektorCERT notes that many organizations under its watch did not install the patches, however, for a variety of reasons. Some simply believed that because the firewall was relatively new, it could not be vulnerable. Others were aware of the need for patching but thought that it was taken care of at the vendor’s end. Some said that their suppliers did not tell them that these particular devices were installed (and did not have an inventory keeping track of them), while others opted out of patching because the supplier charged an extra fee for it.
SektorCERT says that it alerted members to the threat and urged them to install the necessary patches, but weeks went by in which the energy infrastructure companies remained vulnerable and gave the attackers an extended window. The first wave of cyber attacks involved the 16 companies with 11 breaches in total, and then there was a lull for about 10 days before a second wave began. The second wave attempted to add the companies to the Mirai botnet for DDoS attacks against two companies in the US and Hong Kong. This was followed by a final wave beginning around May 24, the one that Sandworm is associated with and that compromised six more organizations. However, though firewalls had to be fully replaced in some cases, none of the incidents are thought to have had a material impact on the country’s critical infrastructure.
Critical infrastructure companies face constant cyber attack threats from advanced hackers
The incident further highlights the 1-2 punch that energy infrastructure companies face, as they are eyed both by nation-state hacking teams and by criminals as priority targets for cyber attacks. This was the largest campaign of attacks on Danish critical infrastructure to date.
The Zyxel firewall vulnerability that was exploited by this cyber attack is exactly the sort of thing that organizations of all types cannot afford to leave unpatched, but particularly something as sensitive as energy infrastructure. The vulnerability earned a CVE rating of 9.8, nearly the maximum possible, due to attackers being able to take total control of the device simply by sending carefully crafted network packets without any need for credentials. The SektorCERT paper provides valuable insight into exactly why organizations will opt to skip patches even when they are demonstrated to be critical for security. In many cases it was a simple lack of fundamental knowledge, either due to not even knowing that the device was present or due to mistakenly believing that a new and up to date device would be secure and/or automatically updated.
Dave Ratner, CEO of HYAS, notes that organizations should expect published zero-days to be exploited nearly immediately: “Bad actors will build their own databases of which organization utilizes which suppliers, so that when a new zero-day vulnerability becomes known they can strike almost instantaneously. Staying current on patches is of course always recommended; however, even this may not be enough if the criminals exploit the zero-day first. It’s just one more reason to implement an operational resiliency strategy and ensuring a complete security-in-layers approach.”
SektorCERT concluded the paper with a number of recommendations based on the experience. The first is to review all services that are internet-connected, removing them from exposure if it is not necessary. The general state of network ignorance seen among these energy infrastructure companies also serves as a prompt to review and map network inputs to OT systems. And when systems cannot be adequately protected, consider segmentation of the network to slow cyber attacks down and provide opportunities to freeze their progress.