Danish critical energy infrastructures targeted by a cyberattack on an unprecedented scale

Estimated read time 3 min read

Danish critical energy infrastructures targeted by a cyberattack on an unprecedented scale


As winter approaches, the nightmare of French officials responsible for the security of information systems in the energy sector has (almost) become a reality in Denmark. The Sektor-Cert, the Danish incident response center dedicated to critical infrastructures, has in fact just deplored “the largest cyberattack ever observed against critical infrastructures”.


“If we had not discovered and stopped the attack in time, the consequences could have been serious for the electricity supply in Denmark”” summarizes Søren Maigaard-Tobiasen, the spokesman for this association bringing together Danish companies in the critical infrastructure sector.

22 companies affected

Unveiled in the fall, this coordinated computer attack, detailed in a 32-page report, affected a total of 22 Danish companies during the month of May. It all started a few weeks after the announcement of a particularly critical vulnerability on firewalls from the Taiwanese manufacturer Zyxel, at the end of April.


Sixteen Danish companies are then targeted by an attacker using this flaw. The latter operates by sending a data packet on port 500, via the UDP protocol, to the vulnerable Zyxel terminal. The offensive succeeded in eleven targets, the failure being attributed in the other five cases to a problem of methodology.



“They knew exactly where to strike, while information on vulnerable terminals was not available on services like Shodan”, observe the experts of the Sektor-Cert. This is proof, they assess, that the attacker was well informed and that he sought to remain very discreet by avoiding making too much noise on the network.

Coordinated attack

As the association also points out, the fact that so many companies in the same sector are attacked at the same time is quite remarkable. This kind of coordination “requires planning and resources,” she recalls. A very effective modus operandi: a first victim does not have time to warn his peers of a new malicious campaign.


This first coordinated attack, spotted, however falls through thanks to the rapid response of the IT security services of the targeted companies. But on May 22, the Sektor-Cert notices this time the hijacking of a firewall by the Mirai botnet, after the initial compromise of the terminal. It will then be used as part of two denial-of-service attacks against two targets in the United States and Hong Kong.


“This could indicate that one or more attackers”were already aware of the two new vulnerabilities, which will finally be identified and reported by Zyxel on May 24, emphasizes the Sektor-Cert. Several companies will be attacked again in the following days via their equipment manufacturer’s firewalls.

Traces of Sandworm

One of the latest malicious actions detected has been linked to the Sandworm group of state hackers, specify the Danes. The latter spotted the use of servers and IP addresses attached to this group, suspected by the Americans of being the emanation of a Russian intelligence service, the GRU. He is accused in particular of having been behind the Macron Leaks or the hack of the PyeongChang Olympic Games.


The Danes, however, remain cautious about a possible involvement of Sandworm in the malicious campaign, for lack of additional elements. The European energy sector has been particularly under tension since the beginning of the Russian invasion of Ukraine, in February 2022. Anssi had also reported at the beginning of the year, during its annual press conference, that it was monitoring this sector.

You May Also Like

More From Author