With the report “Attack on Danish Critical Infrastructure,” the Danish SectorCERT delves into the recently thwarted cyber attack on Danish critical infrastructure. The attack was directed at Zyxel firewalls, and the Sandworm group is believed to be behind it. 

Notably, it’s an APT group increasingly focused on rapid and agile cyber attacks. 

Kennet Harpsøe
Kennet Harpsøe

Senior Cyber Analyst

Assumptions about Sandworm 

Sandworm is a well-known hacker group, highly likely to be a branch under the Russian military intelligence service GRU. The group is known for the 2015 BlackEnergy attack in Ukraine, where they managed to disrupt several transformer stations in the Ukrainian power grid by hacking a control center. 

The BlackEnergy attack was characterized by specially developed modular malware, which took a significant amount of time to develop and target. Hence, the long-standing assumption has been that using cyber attacks to disrupt or destroy critical infrastructure is an expensive, unreliable, and slow process compared to, for example, attacking infrastructure with kinetic weapons. Therefore, it has not been considered a significant risk. 

In light of recent attacks in Ukraine and the described attack on Zyxel firewalls in critical Danish infrastructure, it's high time to reconsider these assumptions. 

Faster, Smarter, and Harder to Prevent 

Mandiant recently described an attack on the Ukrainian power grid between June 2022 and October 12, 2022. Here, Sandworm succeeded in compromising a Ukrainian power company by installing a web shell on an internet-facing server and establishing a C2 tunnel. Subsequently, Sandworm managed to locate a hypervisor running a virtual machine with the SCADA control software MicroSCADA, which manages the power company's transformer stations using the protocols IEC 104 and IEC 101.  

Sandworm exploited the hypervisor to mount an ISO file with an autorun script that sent commands to the MicroSCADA system using an official MicroSCADA utility called scilc.exe. These commands disrupted the transformer stations.  

The specific hypervisor was configured to execute autorun scripts on mounted ISO files by default. 

Three aspects of this attack are highly noteworthy: 

  • There is no malware targeting the OT (Operational Technology) systems. It's all about the creative use of standard software and functionalities, a method often referred to as "Living off the land." 
  • Sandworm likely took less than 2 months to develop the attack on the OT systems, within an intelligence service that presumably is unusually busy due to GRU's direct involvement in the war between Russia and Ukraine. 
  • Sandworm is keen on erasing their tracks, such as with the wiper CaddyWiper. 

This finding makes the attack described by SectorCERT in the report "Attack on Danish Critical Infrastructure" even more alarming. The attack in Denmark was targeted, and the actor took care not to be detected by sending one and only one compromising package to the involved routers. It demonstrates that the actor had the time and resources to be meticulous and coordinate their attack. 

Fortunately, the attack was discovered due to a well-established sensor network and astute employees. Assuming that the actor had succeeded in infiltrating critical infrastructure and used the same strategy as described by Mandiant, it would be a matter of months, not years, before an actor would likely be able to quite literally turn the lights of. Common "fire and forget" protection mechanisms often used, such as antivirus clients, are unable to prevent an attack like the described one because there is no malware involved. 

Detection is a Necessity 

Malware from the BlackEnergy attack and the subsequent Crashoverride attack in 2016 surfaces from time to time. For example, the malware from the Industroyer2 attack in Ukraine in 2022 was recognized by some antivirus clients as it reused a few components from the Crashoverride malware, also known as Industroyer. However, in the recent attack in Ukraine, there is no malware, so there is nothing to recognize and no malware that an antivirus client can block. 

An important lesson in the cybersecurity world is: "Prevention is ideal, but detection is a must." 

SectorCERT's work also demonstrates that detection is crucial. To prevent attacks, we need to collect logs and gather them in independent systems like a SIEM (Security Information and Event Management). Since Sandworm is focused on erasing their tracks, we also need something outside the systems to collect logs so that we can trust they're not tampered with. 

When there's no malware, we need to focus on what systems normally do and when they do something they usually don't. Therefore, log collection is important. We need to gather logs from both endpoints, the network, and central servers. And we need to design our networks and processes to be defensible. We need a good starting point to build and maintain "hygienic" systems. CIS's 18 critical controls, summarizing 30 years of best practices, are a good starting point.