Rewterz Threat Alert – Russian Threat Actors Launch the Largest Cyberattack on Danish Critical Infrastructure – Active IOCs

Severity

High

Analysis Summary

Cybercriminals linked to Russia have carried out the largest attack against critical infrastructure in Denmark, impacting 22 companies related to the energy sector in May 2023.

Denmark’s cybersecurity researchers said in a report, “22 companies, that operate parts of the Danish energy infrastructure, were compromised in a coordinated attack. The result was that the attackers gained access to some of the companies’ industrial control systems and several companies had to go into island mode operation.”

Researchers are linking some of the attacks to Russia’s GRU military intelligence agency, tracked as Sandworm. It is known for carrying out sophisticated cyberattacks with an aim to disrupt critical industrial control systems. The evidence is based off the IP addresses used in the recent campaign that can be traced to the APT group.

These coordinated cyber attacks took place on May 11 and were carried out by abusing the critical CVE-2023-28771 vulnerability with a CVSS score of 9.8. It is a command injection flaw that impacts Zyxel firewalls, and was disclosed in April 2023.

Out of the 22 companies, 11 were successfully infiltrated and the attackers were able to execute malicious code in order to do a survey of the firewall configurations and plan their next course of action. This type of coordination needs planning and resources, and it benefits the threat actors in a way that the information of one attack cannot spread to the other targets in advance.

Between 22nd and 25th May, a threat actor group with previously unseen cyber weapons conducted a second wave of attacks that targeted more organizations. This raised the concerns that there were two different APT groups involved in the campaign. It is unclear if the groups collaborated together or were acting independently.

The cyberattacks exploited two more critical flaws in Zyxel gear, tracked as CVE-2023-33009 and CVE-2023-33010, as zero-days to use the firewalls as Mirai and MooBot botnets. The patched for these vulnerabilities were released on 24^th May 2023 by the company.

The compromised devices were used to conduct distributed denial-of-service (DDoS) attacks against some companies situated in the U.S. and Hong Kong. Once the exploit code for some of the bugs were publicly known, the attacks against the Danish critical infrastructure increased tenfold. Most IP addresses used in these attacks were from Poland and Ukraine.

Not only the state-backed threat actors are targeting the energy sector, but there has been a recent increase in focus for ransomware gangs. Cybersecurity experts discovered six hosts that belonged to a Moscow-based IT contractor, who has allegedly supplied offensive cyber weapons to the Russian intelligence agencies, including Sandworm.

Impact

• Operational Disruption
• Code Execution
• Unauthorized Access

Indicators of Compromise

MD5

• 5b0f10b36a240311305f7ef2bd19c810
• 9a7823686738571abf19707613155012

SHA-256

• bc1a3ff3d3677593aca94c15c88f95623f12309057c77fb26d5145aac9afae39
• a6a814fa4868d42a0b7f9ac1706ee52f61d4355c7832e9d220a1c36e1efb47a7

SHA-1

• 6c2da04cd253e5dd43ace04f08df78e62147145b
• cf8038258f60dbe2c6377420ba69772605538171

Domain Name

• joshan.pro

IP

• 45.89.106.147
• 145.239.54.169
• 176.124.32.84
• 91.235.234.81

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Advise users to be cautious when opening attachments or clicking on links in emails, especially those from unknown sources.
• Employ robust email filtering solutions to automatically detect and block phishing emails, preventing them from reaching users’ inboxes.
• Conduct regular training and awareness programs for employees to educate them about phishing techniques and social engineering tactics.
• Ensure that operating systems, applications, and software are kept up-to-date with the latest security patches to address known vulnerabilities that threat actors might exploit.
• Implement network segmentation to isolate critical systems and sensitive data from potentially compromised areas, limiting lateral movement for attackers.
• Enforce MFA for all critical systems and accounts to add an extra layer of security, preventing unauthorized access even if credentials are compromised.
• Deploy advanced endpoint security solutions, including Endpoint Detection and Response (EDR) tools, to detect and respond to suspicious activities on endpoints.
• Implement web filtering solutions that block access to malicious websites and URLs, reducing the chances of users falling victim to phishing links.
• Develop a comprehensive incident response plan that outlines the steps to take in case of a breach. Regularly test and update the plan to ensure effectiveness.
• Conduct regular security audits and penetration tests to identify vulnerabilities and weaknesses in your infrastructure and applications.
• Evaluate the security practices of vendors and third parties that have access to your systems and data, as they can be potential attack vectors.
• Continuously monitor network traffic, user behavior, and system logs for signs of suspicious or unauthorized activities.
• Collaborate with cybersecurity organizations, governmental agencies, and industry groups to share information about emerging threats and best practices.
• Regularly back up critical data and systems, keeping backups offline and inaccessible to potential attackers. This ensures that data can be restored in case of a successful attack.