22 companies that operate parts of the Danish energy infrastructure were hit in an extensive coordinated cyberattack in May of this year, with the attackers gaining access to some of the firms' industrial control systems. The revelation comes from SektorCERT, a non-profit cybersecurity center for critical sectors funded by Danish critical infrastructure companies.

The first wave of targeted attacks against 16 Danish energy companies occurred on May 11. To gain access to the victims’ networks the threat actors exploited a remote command execution vulnerability (CVE-2023-28771) in Zyxel firewalls patched by the vendor back in April 2023.

“The vulnerability itself was exploited by sending a single specially crafted data packet to port 500 over the protocol UDP towards a vulnerable Zyxel device. The packet was received by the Internet Key Exchange (IKE) packet decoder on the Zyxel device. Precisely in this decoder was the said vulnerability,” SektorCERT explained in a report. The result was that the attacker could execute commands with root privileges directly on the device without authentication. An attack that could be performed by sending a single packet towards the device.”

The attackers were able to gain a foothold and gain control of the firewalls of 11 energy companies but failed to compromise the other five targets. According to SektorCERT, the attacks were blocked before the threat actor could exploit its access to critical infrastructure.

The second series of attacks took place in May 2023 and was likely carried out by another threat actor. Currently, it’s unclear whether the groups worked in tandem, worked for the same employer or were completely unaware of each other’s existence.

This attack was carried out using new tools and two Zyxel zero-day flaws (CVE-2023-33009 and CVE-2023-33010) that could allow remote code execution. In some cases, the attackers used access to compromised firewalls to ensnare the devices in the Mirai Moobot botnet and conduct DDoS attacks. In another instance, the threat actor exploited the victim’s infrastructure to participate in a brute force attack via SSH against a firm in Canada.

The experts have also noticed signs that nation-state hackers, namely the Russia-linked military hacking division Sandworm, were attempting to take advantage of vulnerable Zyxel firewalls.

“In SektorCERT’s three years of operation, we have never seen signs that these APT groups have attacked Danish critical infrastructure. Their activities tend to be reserved for goals that the states they work for want to disrupt due to various political or military considerations,” the cybersecurity organization noted.

On the same note, the US Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to secure Juniper devices on their networks against four vulnerabilities (CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) in J-Web now used in remote code execution (RCE) attacks as part of a pre-auth exploit chain.