Some of the world’s most sophisticated hackers have had an IT backdoor in the central bank of Denmark - Danmarks Nationalbank - for seven months. The bank cannot exclude that the suspected Russian state hackers have used the backdoor to compromise the central bank further.
This is evident from documents that Version2 has obtained through a freedom of information request from Danmarks Nationalbank. The documents confirm that the central bank, which runs Denmark’s central financial infrastructure, was hit by the global Solarwinds hacker attack back in December 2020.
No matter what the state hackers have used the access for, they have had a unique opportunity, according to external lecturer in IT-security at Copenhagen Business School, Jan Lemnitzer.
»Danmarks Nationalbank has a lot of interesting information about Denmark and Danish companies. But we also know that it is a strategic goal for the Russians to destabilize the West. The Russians have an interest in creating confusion, and that will certainly be achieved if the National Bank is incapacitated« says Jan Lemnitzer.
Detected by coincidence
The Solarwinds backdoor in Danmarks Nationalbank was open for seven months, before the attack was detected by coincidence by the American IT-security company Fire Eye. In an internal email that Version2 has obtained access to, sent to the central bank, it is stated by its supplier, that the vendor of the compromised software, Solarwinds Orion, considers it 'an impossible task to prove the absence of IOC’s (Indications Of Compromise).
A backdoor is an IT-security breach, which allows attackers to access systems whenever they want to, and this specific backdoor was secretly installed in the otherwise trustworthy program, Solarwinds Orion, which controls advanced network systems. This is also why the Solarwinds-software is the perfect way to attack and compromise the servers of a company or an organization.
»If you have access to the Solarwinds software, it is generally rather easy to execute things on all the servers that the software has access to. If you have a program that you will infect the system with, Solarwinds can install it all over, with a single click from those who control Solarwinds”, explains Lucas Lundgreen, who as a white hat hacker at the company Banshie makes a living out of testing the security of companies.
The financial heart of Denmark
Every banking day, 639 billion Danish crowns (86 billion €) pass through Denmark’s financial infrastructure. All payments between Danish banks pass directly through the system ‘Kronos2,’ which is run by Danmarks Nationalbank.
Additionally, Kronos2 functions as a platform for all currency trades, retail payments and security trades. This makes the central bank a very attractive goal for the Russians, according to several IT-security researchers Version2 has contacted.
»If you can stop the transactions made by Danmarks Nationalbank, as well as the programs that control them, all hell breaks loose. The Nationalbank is a very exciting goal for hackers,« says professor of IT security at IT University of Denmark, Carsten Schürmann.
Sent IT departments on overtime
However, according to Danmarks Nationalbank, there is nothing that suggests that the bank has been compromised beyond the so-called ‘Stage1’. Briefly explained, a Stage1 compromise means that a small piece of code in Danmarks Nationalbank’s IT system has informed the hackers that the back door is ready to be opened by them.
But the small piece of code was ready for more than seven months before the Danish central bank, and 18.000 other companies and organizations that was affected by the Solarwinds attack, realized. Because of this it is difficult to exclude that the suspected Russian hackers have not compromised the system more deeply and removed their tracks and traces afterwards.
Which is exactly what this specific hacker group did when they compromised the American Ministry of Defence, Microsoft and indirectly also the American National Bank, the Federal Reserve, using the same methods.
No comments from Danmarks Nationalbank
Danmarks Nationalbank does not wish to participate in an interview, but writes in an email to Version2:
»The Solarwinds attack also hit the financial infrastructure of Denmark. The relevant systems were contained and analyzed as soon as the compromise of Solarwinds Orion was known. Action was taken quickly and consistently in a satisfactory manner, and according to the analyzes performed, there were no signs that the attack has had any real consequences.«
Version2 has obtained partial insight in the forensics work that followed after the Nationalbank became aware of the compromisation.
Several worried IT security researchers and experts question the Danmarks Nationalbank’s handling of the case, in a following story by Version2, to be published later today.
For questions and comments, please contact mlo@ing.dk, Signal +45 6169 0917
...men det er dyrt at lave god journalistik. Derfor beder vi dig overveje at tegne abonnement på Version2.
Digitaliseringen buldrer derudaf, og it-folkene tegner fremtidens Danmark. Derfor er det vigtigere end nogensinde med et kvalificeret bud på, hvordan it bedst kan være med til at udvikle det danske samfund og erhvervsliv.
Og der har aldrig været mere akut brug for en kritisk vagthund, der råber op, når der tages forkerte it-beslutninger.
Den rolle har Version2 indtaget siden 2006 - og det bliver vi ved med.
