Danish Cybersecurity Organization Details Cyberattacks Targeting Critical Infrastructure
In May of this year, more than 20 critical infrastructure organizations in Denmark were targeted with cyberattacks. A report published by SektorCERT, the Danish cybersecurity organization for critical infrastructure sectors details the attacks, which were carried out through known vulnerabilities in Zyxel firewalls.
Note the use of two Zyxel firewall vulnerabilities in these attacks. Before you move on to the next comment/story: Add a recurring monthly reminder to your calendar to check if your firewall/perimeter device firmware is up to date. It is notoriously difficult to be notified of available updates for these devices (not just Zyxel) and usually requires some manual care. Of course: If you do not want to be the script, write one to monitor for updates.
The SektorCERT report shows that security was not considered to be a critical part of Denmark’s critical infrastructure. Lack of knowledge that Zyxel was even in use, or that firewall software needed regular updates, ignoring repeated warnings between patch availability and before attacks all indicate a systemic problem. Good case study for all nations to proactively fix similar problems and a good “essential security hygiene” checklist to use with all critical service providers to your own organization.
Several lessons here. First, know what you have, get a good inventory, particularly of your boundary control devices. Second, don't assume devices are up-to-date, even if new: assume firmware updates were released after the unit was produced and always include updates as part of the provisioning processes. Third, paying for the needed contract (software, hardware, or labor) so updates can be installed, is cheaper than the breach recovery. Fourth, make sure you're monitoring for and responding to incidents 24x7, don't assume you have to do all that yourself in-house, there are external resources and services you can leverage.
A lot to unpack in this report. First, it appears to have been a series of targeted attacks, which often speaks to nation state involvement. Second, vulnerabilities that were not patched, which highlights an ineffective patch management process. Third, misunderstanding of the service level agreement between vendor and operators when it comes to maintenance of the Zyxel firewalls. Fourth, and unfortunately all too common, organizations not having complete knowledge of devices operating on their network. The lesson learned is that every organization has to have a relentless focus on cybersecurity basics, what we call essential cyber hygiene.
Read more in
rackcdn: The attack against Danish critical infrastructure (PDF)
Gov Infosecurity: Denmark Hit With Largest Cyberattack on Record