Cybersecurity in the Shadows: Lessons from Danish Energy’s 24/7 CERT Oversight

Danish SektorCERT, a non-profit organization which serves as a “Critical Sectors Cybersecurity Center”, has recently published an extensive report on cyber attacks on state-critical infrastructure operators.

The report presents a six-week timeline and an analysis of multiple attack waves . I would like to share a few general insights from my personal and from Radiflow’s experience on this relatively rare learning opportunity, presented to the OT Cybersecurity community by Danish SektorCERT.

The defense posture of CNI operators:

1. The report states that many operators were totally unaware of Zyxel firewalls in their infrastructure (as they rely on 3^rd-party service providers), and did not know which software version was deployed. The lack of basic asset knowledge, especially as it applies to Internet-facing devices, would definitely have a severe impact on the CNI’s capability to mitigate potential threat and to detect attacks in its infrastructure.
2. On that matter, it’s essential to not just know the internet-facing device’s model and software version, but also to ensure it is hardened – that patches are installed (especially those that mitigate the vulnerabilities which allow remote code execution), the ruleset is managed and tight, the firewall admins have MFA, logging of all activity, etc.
3. Regarding the handling of “System vulnerabilities”, as the report calls them: it’s evident that multiple breaches occur when customers neglect to implement critical patches in firewalls, gateways and VPN devices (CISA’s KEV Catalog contains multiple entries for many leading vendors). As SektorCERT mentioned, they have warned the members about Zyxel critical vulnerabilities, but the warning wasn’t taken into account by operators.
4. SektorCERT provided quite a few recommendations in the report – some pretty obvious, like network segmentation, but others that sometimes are less emphasized, like drafting containment and contingency plans that account for operating under cyber attack conditions and within certain degradation of capabilities, either IT, cyber or operational.
5. I believe it is imperative that some regulatory measures should be applied to enforce the implementation of a cyber risk management program (as well as convert NIS2-D into country-specific legislation) which includes asset inventory management, vulnerability analysis, etc.

Offensive TTPs:

1. The report mentioned that the first attack wave was very precise and mostly successful. In my opinion, the working assumption for OT cyber defense teams at a CNI should be that APT groups, and especially nation-state sponsored threat actors, know in advance and constantly maintain the initial access map to critical infrastructure operators.
2. Cyber-physical effects, information warfare based on data leakage and other means of cyber warfare are all integral parts of geopolitical conflicts nowadays. Therefore, it would be naïve to think that some countries or infrastructure sectors (energy, transportation, digital service providers, etc) wouldn’t be targeted by hacktivists, state actors, or cybercrime groups.
3. Research and exploitation development of 0-day vulnerabilities make up a significant part of APT groups’ efforts. Their focus on firewalls as well as network access devices and software is widely known.
4. The fact that CNI operators’ infrastructure have become part of a botnet (either a DDOS-for-hire or state-sponsored cyber weapon) or were breached by the infamous Sandworm group for further disruption activities should not come as a surprise to anyone in the OT cyber defense community.

SektorCERT preparedness:

1. As stated in the report, the sensor network deployed by SektorCERT had played a crucial part in detecting the attacks. Seems to me it would be pretty complicated to deploy such sensors without some government initiative, but in decentralized industrial fields, as is Denmark energy sector, it’s imperative. In Israel, for example, this sector is not as decentralized as in Denmark; still, the Israeli Ministry of Energy has set up a sector cyber-defense center, adjacent to the National CERT. This center monitors all of the nation’s energy systems, both public and private, and feeds into the national CERT.
2. Inability to maintain 24/7 shifts in a country’s energy sector CERT should be a “red flag” for other CERT’s. Cyber threat groups are not going to adjust themselves to the working hours and time zones of their potential targets. On the contrary, they will choose the most appropriate time to strike. In many cases, it takes only a few hours to establish a foothold in internal networks, far beyond perimeter firewalls. In the Danish case, CERT analysts understood the attacks severity and continued to work 24/7.
3. Cross-organizational and international cooperation are critical for successful response and mitigation, and the fact that the firewall was left untouched and just disconnected from the internal network, in order to grab the malware for further analysis, demonstrates the use of a correct incident response methodology.