Danish energy sector attacks (SektorCERT)

In May 2023, 22 companies in Denmark's energy sector were breached in coordinated waves of attacks that exploited vulnerabilities in Zyxel firewalls guarding their networks. Documented in a landmark November 2023 report by SektorCERT — the Danish critical-infrastructure sector's non-profit cybersecurity center — the campaign was described as the largest cyberattack on Danish critical infrastructure to date.

The first wave

On 11 May 2023, attackers targeted 16 Danish energy organizations, exploiting CVE-2023-28771 (CVSS 9.8), a critical OS-command-injection flaw in Zyxel's ATP, USG FLEX, VPN and ZyWALL/USG firewalls. The vulnerability let unauthenticated attackers execute commands directly on the perimeter firewall. 11 organizations were successfully compromised, with attackers reading device configurations and usernames. SektorCERT's sector-wide sensor network detected the activity quickly, and all affected networks were secured by the end of the day.

The second wave

Beginning 22 May 2023, a second, more sophisticated wave deployed new tooling and exploited two Zyxel zero-days — CVE-2023-33009 and CVE-2023-33010 — which were not patched until 24 May. According to SektorCERT, the attackers in this phase reached the industrial control systems of multiple companies. To protect operations, some operators deliberately disconnected from the wider grid and ran in island mode — generating and distributing power locally without external network connectivity.

Attribution debate

SektorCERT's report raised the possibility of state involvement, noting overlaps with infrastructure associated with Sandworm, the Russian GRU unit behind prior attacks on Ukraine's grid. However, a January 2024 analysis by Forescout challenged that conclusion, arguing the Danish activity was most likely part of broader, opportunistic exploitation of internet-exposed Zyxel devices worldwide rather than a single coordinated Sandworm campaign. The attribution remains contested.

Why it matters

The SektorCERT case is a defining study in critical-infrastructure perimeter risk. The very firewalls deployed to protect energy operators became the attack surface, and a single widely deployed product line exposed dozens of utilities at once. It also demonstrated the value of sector-wide collective defense: SektorCERT's shared sensor network gave Denmark unusual visibility, enabling rapid detection and coordinated containment that limited physical impact. The episode accelerated European scrutiny of edge-device security and the patching discipline required for the firewalls and VPNs guarding essential services.

Timeline

May 11, 2023

First wave: attackers exploit Zyxel firewall flaw CVE-2023-28771 against 16 Danish energy organizations, compromising 11; all networks are secured by day's end.

May 22, 2023

Second wave begins, deploying new tooling and exploiting Zyxel zero-days CVE-2023-33009 and CVE-2023-33010.

May 24, 2023

Zyxel patches the two zero-day vulnerabilities used in the second wave.

May 25, 2023

Continued exploitation activity is observed as some operators move into island mode to protect operations.

November 12, 2023

SektorCERT publishes its report calling the campaign Denmark's largest critical-infrastructure cyberattack to date.

January 1, 2024

Forescout's analysis challenges attribution, finding the activity was likely part of broader opportunistic Zyxel exploitation rather than a single Sandworm operation.

Sources

securityweek.comhttps://www.securityweek.com/22-energy-firms-hacked-in-largest-coordinated-attack-on-denmarks-critical-infrastructure/

forescout.comhttps://www.forescout.com/blog/analysis-of-energy-sector-cyberattacks-in-denmark-and-ukraine/

cyberscoop.comhttps://cyberscoop.com/sandworm-sektorcert-critical-infrastructure-zyxel/

thehackernews.comhttps://thehackernews.com/2024/01/new-findings-challenge-attribution-in.html

conscia.comhttps://conscia.com/blog/deep-dive-into-the-may-2023-cyber-attack-on-danish-energy-infrastructure/

Related incidents

Vulnerability exploitResolvedAugust 8, 2023

UK Electoral Commission data breach

Chinese state-linked hackers exploited unpatched Microsoft Exchange ProxyShell flaws to dwell undetected in the UK Electoral Commission's systems for over a year, accessing electoral-register data on roughly 40 million voters.

Victim: UK Electoral Commission
Records: 40.0M

Vulnerability exploitResolvedJuly 24, 2023

Norwegian government Ivanti zero-day breach

Attackers exploited an Ivanti Endpoint Manager Mobile zero-day (CVE-2023-35078, CVSS 10.0) to breach a shared ICT platform used by 12 Norwegian government ministries, with exploitation traced back to at least April 2023.

Victim: Norwegian government (12 ministries)

Vulnerability exploitOngoingJune 10, 2026

Max-severity Ivanti Sentry flaw exploited for root code execution (CVE-2026-10520)

Ivanti patched a maximum-severity unauthenticated command-injection flaw in its Sentry mobile gateway that gives attackers root-level remote code execution, and within days real-world exploitation followed a public proof-of-concept, prompting CISA to add it to its Known Exploited Vulnerabilities catalog.

Victim: Ivanti Sentry

Vulnerability exploitContainedJune 9, 2026

ServiceNow discloses unauthenticated API flaw that let attackers query customer instance data

ServiceNow disclosed that a misconfigured, unauthenticated REST API endpoint allowed actors to query data from hosted customer instances, an issue the company patched on 5 June but did not publish a (login-gated) advisory for until days later.

Victim: ServiceNow