Cyber attack on Danish energy infrastructure: lessons learned

Reading time: 4 minutes - Difficulty: advanced

It is May 27, 2023 when the suspected hacker group, known as Sandworm, conducted the cyber attack on the Danish energy infrastructure by exploiting a zero-day vulnerability. An event, that of the cyber attack in Denmark, which attracted worldwide attention, and whose first effects we are now seeing in terms of the measures that, over time, have been implemented by the companies involved to protect themselves from future attacks.

How the cyber attack in Denmark happened

The Sandworm hacker group, believed to be affiliated with Russian military intelligence, and believed to be responsible for the cyber attack in Denmark, targeted 22 of the companies that oversee various components of the energy infrastructure, aiming to cause various types of damage to the critical infrastructure in question.

In fact, it began with a DDoS (Distributed Denial of Service) attack, which rendered the networks of the targeted companies inaccessible, the perpetrators exploited a zero-day vulnerability in the Zyxel firewall, thereby gaining access to the systems, and taking control of them through the creep of malware.


Read the article:


The damage attributable to the attack in Denmark, in addition to the theft of sensitive data, was related to the operation of the plants themselves, and in particular:

  • Closure of two coal-fired power plants
  • Reduction of energy production
  • Lack of energy in some areas of the country

All of this has cost the victim country about 1 billion euros and has exposed a growing need to strengthen the cybersecurity of critical European infrastructures.


However, the issue is not so simple, and if the question is whether this attack could have been nipped in the bud, let us take a closer look at the causes and possible solutions to mitigate recurrence.

First, let us clarify what a zero-day vulnerability is.

When we talk about a zero-day vulnerability, we are talking about something unknown to the software vendor, for which there is no patch or update that can avert the threat.

The skilled hacker has the means and organization to uncover and exploit vulnerabilities of this kind, leaving the system owner helpless in the face of data loss and system sabotage.

However, there are ways to reduce the risk associated with zero-day vulnerabilities, such as using strong and unique passwords, constantly updating applications, and being willing to learn about developments in cybersecurity.


How Danish companies have responded

The fact undoubtedly exposed the priority of limiting the vulnerability of critical infrastructure in general.

Protecting against future attacks means, for example, working to grade systems with the latest patches and security updates, implementing software to detect and block possible incoming attacks, and, finally, investing in adequate cybersecurity training for staff so that they are aware of the threats, but more importantly, of the mitigation measures available to them.


Some of the measures taken by Danish companies are, for example:

  • Energinet, Denmark’s national electricity and natural gas transmission system operator, has announced that it will upgrade all of its systems by the end of 2024
  • The giant TDC Group has introduced new security software that detects and blocks cyber attacks
  • Public transport company DSB has trained its staff, with a focus on zero-day vulnerabilities


These measures are certainly helping to improve the cybersecurity of critical infrastructures, for which the Danish situation, though emblematic, is only one example, but concern toward national security is an issue for all European countries.


And so, in terms of critical infrastructure protection, where do we stand?

The application of European standards, with the NIS Directive now among the main references, is helping to improve the security of critical infrastructures, while not forgetting that prevention from cyber attacks is an investment that requires commitment and continuity from companies.

The NIS (Network and Information Security) Directive requires member states to identify and designate critical infrastructures, as well as require those infrastructures to take appropriate security measures, including upgrading systems, patching, using detection software, and training staff, as indeed Danish companies have also implemented.


As of October 18, 2024, the NIS Directive will be replaced by its most updated version, NIS 2 Directive, which expands the categories of sectors considered critical, and thus obligates to adopt well-defined cybersecurity measures.


Read the article:


As mentioned, and it will become even more clearer after reading this, prevention from cybersecurity damage always starts with awareness of the actual risk to which a system is exposed.

A good starting point for achieving this awareness is to conduct a GAP Analysis, which is an audit activity that reveals the differences between the level of cybersecurity present and the optimal level of security a system should achieve, based on the mitigation measures suggested by the standards.


What we can do to secure your infrastructures

Staying within the scope of NIS 2, for example – although the method can be extended to other frameworks –, our mission is to guide you in assessing how well an infrastructure meets the standards, namely:

  • The purpose is to analyze the status of the measures required by NIS 2 Directive, the level of maturity and coverage, with reference to the cyber perimeter to be protected
  • What we do is evaluate the obligations under NIS 2 and how you respond to them
  • End result will be your awareness of the GAPs in NIS 2, for which we will help you estimate and plan adaptive measures so as to reduce the impact of possible cyber attacks


By taking action on both the governance system and the technical aspect, you will have a clear view of what criteria are used for analyzing cybersecurity risks, what training programs are best suited to the needs of your staff, and what technology solutions to choose depending on the applications and vendors used.


To act immediately, and protect your infrastructure from cyber attacks, request a consultation.


Any questions or comments?


Share us your feedback

Do you want to help our page grow? Follow us on Linkedin


Go back to the blog
Send this to a friend