The importance of keeping up with patching is stressed at every turn, and particularly for known zero-day vulnerabilities that have been disclosed with high CVE scores. So why do organizations continue to be caught with their pants down? A new report about cyber attacks on Denmark’s energy infrastructure provides some insight.
SektorCERT, a private non-profit organization contracted by numerous critical infrastructure companies in the country to provide cybersecurity, recently issued a report on a May wave of cyber attacks that targeted (and compromised a good deal of) the country’s energy infrastructure. The leading cause of the trouble appears to have been endemic refusal to patch, even over a month after the central vulnerability had been disclosed and other companies in the ecosystem were being breached.
Denmark cyber attacks exploited known vulnerable Zyxel devices
Energy infrastructure has become a leading target both for intelligence-seeking APT groups and profit-seeking criminal groups, and the cyber attacks in Denmark may well have been made up of a mix of both.
The attackers exploited a Zyxel firewall vulnerability with a CVE of 9.8 that was disclosed in April. The attacks began in early May, however, and the energy infrastructure devices were not configured to be visible to scanners such as Shodan. This suggests that there was some inside knowledge of the companies protected by SektorCERT tending to use these firewalls as a standard defensive tool.
That, and some evidence that points to Russia’s GRU-linked Sandworm group as a potential culprit, points to nation-state teams doing espionage. It appears that there was a mix of attackers, however, including one that put compromised systems on the Mirai botnet for a time for use in attacks against targets elsewhere in the world.
There are understandable delays in patching, as organizations all over the globe struggle to maintain enough personnel to keep up with security tasks. However, one would think a vulnerability of this sort would move immediately to the front of the list once disclosed. A total of 22 organizations were compromised by cyber attacks in this campaign, however, and five more energy infrastructure companies would have been if the threat actors had not malformed the attack packets.
Denmark’s energy infrastructure companies show worrying lack of preparation
The cyber attacks went on for about three weeks, with a long pause in the middle as the initial attacker seemingly ceased their activity and new attackers eventually moved in. SektorCERT did not confirm that Sandworm was involved, but suspected them of being the final attacker in the dogpile and compromising at least six energy infrastructure companies.
The report goes into detail about why some of the energy infrastructure companies opted to skip patching. Some said that they do not have an inventory of devices, and simply did not know that they had the impacted Zyxel firewalls. Some said that they opted to not pay the extra fee their supplier charged for patching. Some believed that since the Zyxel devices were still fairly new that they would automatically be secure, or that Zyxel would update them remotely with no engagement on their end.
Needless to say this is a rather shocking state of affairs for national critical infrastructure that keeps the lights on, made worse by the fact that SektorCERT actively warned its clients about the risk and many continued to ignore it for weeks anyway. The silver lining is that none of the compromises is thought to have had a material impact on the nation.