Denmark’s Energy Sector Faces Increasing Cyberattack Risk

Energy Sector Cyberattack

According to information disclosed by Denmark’s cyber security center, SektorCERT, in May this year, a coordinated cyber assault targeted 22 Danish energy companies. The attack was so severe that some of these companies were compelled to operate in isolation, severing connections with other energy firms and critical infrastructures.

Given that these energy companies are integral to Denmark’s critical infrastructure, the potential impact of such a cyberattack is immense. This incident also signifies the hackers’ capability to cripple a nation or region’s critical infrastructure through cyber warfare.

The objectives of this hacking group remain unclear, but their precision in targeting each entity and their premeditated gathering of intelligence data and identification of exploitable vulnerabilities, followed by a synchronized onslaught, underscore their strategic planning.

Among the 22 targeted energy companies, 11 fell victim to the initial wave of attacks on May 11th. The method employed was not particularly sophisticated, exploiting the companies’ failure to apply security patches.

These compromised energy companies utilized firewall devices provided by the Taiwanese network equipment manufacturer Zyxel. In late April, Zyxel announced a security vulnerability in their products, rated 9.8 on the CVSS scale, and concurrently released a patch.

However, the affected companies did not promptly apply this patch, allowing the attackers to exploit the vulnerability in Zyxel’s firewall to execute system commands and infiltrate the companies’ internal networks. During the attack, some unpatched Zyxel firewalls were also infected with the Mirai worm virus, which then incorporated these devices into a botnet. This botnet was used to launch DDoS attacks against companies in Hong Kong and the USA.

Typically, large-scale coordinated attacks against energy companies or other critical infrastructures are politically motivated. However, the use of worm-infected devices for DDoS attacks seems rather unsophisticated, suggesting that these incidents might be unrelated. The hackers behind the worm infection, possibly different from those initiating the primary attack, exploited the worm to automatically infect vulnerable devices, opportunistically expanding their botnet for DDoS purposes.