Cyber Attacks on Critical Infrastructure - how bad is it?
The Danish SektorCERT published a widely circulated report on a cyber attack against national energy companies and infrastructure, which occurred sometime in May 2023.
SektorCERT is the cyber security center for the critical sectors in Denmark, which runs a sensor network (270 in total) deployed at Danish critical infrastructure organizations.
This appears to be passive network monitoring that matches traffic against known vulnerability exploits and threat actor techniques.
The approach (one might call it a "light SOC") is gaining traction in various EU members, where a central government agency (usually the national CERT) is mandated to deploy intrusion detection capabilities at various government agencies and state owned businesses (for ex. see SK@UT in Croatia).
Key takeaways from the attack
In this case, 22 companies part of the Danish energy infrastructure were compromised, where attackers gained access to some of the companies’ industrial control systems.
The main vector was a vulnerability in public facing network devices - this time CVE-2023-28771 affecting Zyxel firewall devices, which allows unauthenticated attackers to execute arbitrary OS commands remotely.
The vulnerability is well known to be exploited in the wild with PoC code publicly available. The attack itself is typically associated with a botnet operator called Mirai, which usually compromises network devices to turn them into remotely controlled bots, then used to launch DDoS attacks.
Attacks against internet facing network devices are a key threat actor strategy, as it's becoming increasingly harder to maintain and patch on-premise equipment (see recent examples here and here).
Although SektorCERT is going into length to detail the attack, this was probably not a sophisticated targeted operation we usually see with nation state sponsored attackers. It's understandable that SektorCERT wants to stress the importance of its role, in particular the value its sensor network brings to uncover emerging attacks.
However, such sensors detect only the crudest of network attacks, perpetrated by actors that typically do not make a huge effort to remain hidden. Widely cast network based inspection will stop at Layer 3/4 of the network stack, largely missing application layer attacks, encrypted payloads and malware deployed via drive-by downloads or phishing techniques.
So there you have it: this was not a serious targeted attack, but it illustrates a more troubling reality.
Companies are rarely aware of all the assets on their network, which limits visibility into the overall attack surface. In this case, many operators were totally unaware of Zyxel firewalls in their infrastructure and did not know which software version was deployed. The lack of basic asset knowledge, especially as it applies to Internet-facing devices, is an ongoing issue.
Furthermore, the devices deployed often consist of poorly managed legacy on-premise equipment, which requires a very focused approach to patching.
In practice, this is often not possible, not least because vulnerabilities in internet facing devices are now discovered only after widespread exploitation is already occurring in the wild.
That's why companies should change their approach to managing risks and be more open to specialized service providers (MSSPs) and deferring to modern cloud based SASE architectures, thereby reducing the overall internet facing attack surface.
