In May 2023 [1] [3] [4] [5] [6] [7] [8] [9] [10], Denmark experienced its largest-ever cyberattack on its critical energy infrastructure [2]. This attack, orchestrated by Russia’s GRU military intelligence agency [5] [7], targeted the networks of 22 companies in the Danish energy sector [8]. The attackers exploited vulnerabilities in Zyxel firewalls [2] [3] [8] [9], compromising 11 companies and potentially compromising third-party vendors. This incident highlights the ongoing threat posed by Sandworm [3], a group known for disruptive cyber assaults on industrial control systems [3].


The attack occurred in two waves [8], with the first wave starting on May 11 and the second wave on May 22 [8]. SektorCERT [1] [2] [4] [6] [7] [8] [9], Denmark’s Computer Security Incident Response Team [8], discovered the attacks on May 22 [8]. The attackers utilized a critical command injection flaw in Zyxel firewalls to infiltrate the companies [5], exploiting two critical zero-day vulnerabilities and compromising the firewalls. This allowed them to create botnets and deploy sophisticated malware and ransomware.

Evidence suggests that the attacks were orchestrated by Russia’s GRU military intelligence agency [5], based on artifacts communicating with traced IP addresses [7]. Sandworm [1] [2] [3] [4] [5] [6] [7] [9], a group believed to operate under the Russian intelligence agency GRU [1] [4] [6], has previously targeted power systems in Ukraine and has been associated with recent attacks on critical infrastructure in Ukraine [4] [6]. This is the first time that nation-state groups have targeted Danish critical infrastructure in the three years of SektorCERT’s existence [1] [6].

Despite warnings [9], many organizations underestimated the risk [9]. However, SektorCERT formed an incident response team and took swift action to manage the situation [9]. Their efforts highlighted the importance of regular software updates and vulnerability management [9]. Unfortunately, a second wave of attacks occurred [5] [9], indicating that the attackers had access to previously unknown vulnerabilities [9]. This incident emphasized the need for collective cybersecurity measures in Denmark’s decentralized energy system [9].

SektorCERT’s cross-company monitoring [9], along with its effective collaboration with its members, suppliers [9], and law enforcement [9], was instrumental in detecting and responding to the attacks [9]. Their collaboration minimized the impact of the attacks [9]. In addition to the initial breach through the Zyxel firewalls, a second wave of attacks occurred later [5] [9], possibly involving a different group [5]. The compromised devices were used to launch distributed denial-of-service (DDoS) attacks against unidentified companies in the US and Hong Kong [3], prompting them to disconnect from the internet.


This cyberattack on Denmark’s critical energy infrastructure has significant implications. It highlights the ongoing threat posed by Sandworm and the need for enhanced cybersecurity measures. The incident emphasizes the importance of addressing systemic vulnerabilities and implementing collective cybersecurity measures to protect against persistent foreign cyber threats.