Denmark hit with largest cyberattack on record


Hackers potentially linked to Russia’s military intelligence carried out a series of highly coordinated cyberattacks on Danish energy infrastructure in the spring, a new report says.

SektorCERT, a non-profit cybersecurity center for critical sectors in Denmark, said in the report that it was the nation’s largest cyber incident on record.

According to SektorCERT’s experts, attackers gained access to the systems of 22 companies overseeing various components of Denmark’s energy infrastructure in May 2023.

ADVERTISEMENT

In the worst-case scenario, more than 100,000 people in Denmark could have been left without electricity or heating – if the hackers had chosen to turn off power from the infrastructure they had gained control of.

Fortunately, the attack was quickly discovered – security holes were closed, and the companies’ customers were not affected. Still, several companies had to go into island mode (off-grid) operation to isolate their systems and prevent the spread of the attack.

“The attackers knew in advance who they were going to target and got it right every time. Denmark is constantly under attack. But it is unusual that we see so many concurrent, successful attacks against the critical infrastructure,” SektorCERT said.

The report (PDF) says that zero-day vulnerabilities in Zyxel firewalls used by many Danish infrastructure operators to protect their networks were exploited. Most of the attacks were possible because the companies had not updated their firewalls, said SektorCERT.

It said that several companies had opted out of the software update because there was a charge for installation. Some companies mistakenly assumed the relatively new Zyxel firewalls already featured the latest updates, and others wrongly believed the vendor was responsible for implementing the updates.

The organization also indicated that a state actor may have been involved in one or more attacks. That’s also because the attack is “remarkable” for its meticulous planning – even though it seems that the purpose of the cyberattack was mere intelligence gathering.

Eleven Danish companies were immediately compromised, according to the report, and the simultaneous attack prevented the energy firms from warning others about the hit “since everyone was attacked at the same time.”

The report does not clearly point to who is believed to be behind the attack. However, SektorCERT's analysis indicated traffic on breached networks came from servers associated with a unit of Russian military hackers.

ADVERTISEMENT

It’s the Russian military intelligence service GRU's infamous Unit 74455, popularly known as Sandworm. The state-sponsored hacker collective has notoriously attacked critical infrastructure operations in Ukraine, invaded by Russia in February 2022.

A report published earlier this month by Mandiant, an American cybersecurity company, said the hacking group had used novel techniques to conduct a targeted attack on a Ukrainian power substation in late 2022.