Cyber Incident Victim: Denmark
Date:
May 2023
Location:
Denmark
Summary
A coordinated cyberattack compromised 22 Danish critical infrastructure organizations through exploitation of vulnerabilities in Zyxel firewalls, including CVE-2023-28771 and potential zero-days. Attackers gained control of industrial control systems, forcing multiple entities into island mode operation to prevent further intrusion. The multi-wave campaign involved distinct threat actors, with one wave deploying Mirai botnet payloads for DDoS operations and another exhibiting possible state-linked activity through limited communication with infrastructure associated with Sandworm APT. SektorCERT's network sensors detected anomalous traffic patterns across targets, enabling rapid response that prevented operational disruptions despite systemic vulnerabilities across decentralized energy systems. The incident marked Denmark's most extensive recorded cyberattack against critical infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2023, Danish critical infrastructure experienced its most extensive cyberattack on record, compromising 22 energy sector companies within days. The initial wave occurred on May 11 when attackers exploited CVE-2023-28771, a critical vulnerability in Zyxel firewalls with a 9.8 CVSS score, enabling unauthenticated remote code execution. Sixteen specifically targeted organizations received crafted UDP packets on port 500, with eleven immediately compromised as attackers executed commands to extract firewall configurations and credentials. Five attempts failed, potentially due to malformed packets. The attackers demonstrated precise targeting of vulnerable Zyxel devices not publicly listed on scanning services like Shodan, suggesting pre-operational reconnaissance. SektorCERT's sensor network detected the coordinated attacks across multiple entities simultaneously, preventing attackers from leveraging initial access for further infrastructure manipulation. An emergency response team worked beyond normal hours to contain breaches, collaborating with affected members, suppliers, and authorities including Denmark's National Center for Cybercrime (NC3) and Center for Cyber Security.
A second attack wave commenced on May 22 using previously unknown Zyxel vulnerabilities later designated as CVE-2023-33009 and CVE-2023-33010, indicating potential zero-day exploitation. Attackers compromised firewalls to download malicious payloads like MIPSkiller and Mirai variants, repurposing devices into botnets launching DDoS attacks against targets in Hong Kong (156.241.86.2) and the United States (63.79.171.112). Multiple organizations disconnected internet access, entering island mode operation to isolate compromised systems, with one remaining offline for six days after firewall replacement. On May 24-25, SektorCERT observed single TCP packets sent to IP addresses historically associated with Sandworm (217.57.80.18:10049 and 70.62.153.174:20600) from compromised systems, though attribution remained unconfirmed. The final attacks on May 30 involved mass exploitation attempts from Polish and Ukrainian IPs after public release of exploit code, though patched systems prevented further breaches. Impacts included operational disruptions requiring manual intervention at remote sites, loss of network visibility, and temporary participation in third-party attacks. SektorCERT's cross-sector monitoring and rapid coordination with stakeholders mitigated potential physical consequences for Denmark's energy supply.