Central bank of Denmark hacked as part of 'the world’s most sophisticated hacker attack'

29. juni 2021 kl. 12:243
Central bank of Denmark hacked as part of 'the world’s most sophisticated hacker attack'
Illustration: Danmarks Nationalbank.
State hackers have had the opportunity to compromise parts of Danmarks Nationalbanks IT setup with a calculated international setup.
Artiklen er ældre end 30 dage
Manglende links i teksten kan sandsynligvis findes i bunden af artiklen.

Some of the world’s most sophisticated hackers have had an IT backdoor in the central bank of Denmark - Danmarks Nationalbank - for seven months. The bank cannot exclude that the suspected Russian state hackers have used the backdoor to compromise the central bank further.

This is evident from documents that Version2 has obtained through a freedom of information request from Danmarks Nationalbank. The documents confirm that the central bank, which runs Denmark’s central financial infrastructure, was hit by the global Solarwinds hacker attack back in December 2020.

No matter what the state hackers have used the access for, they have had a unique opportunity, according to external lecturer in IT-security at Copenhagen Business School, Jan Lemnitzer.

»Danmarks Nationalbank has a lot of interesting information about Denmark and Danish companies. But we also know that it is a strategic goal for the Russians to destabilize the West. The Russians have an interest in creating confusion, and that will certainly be achieved if the National Bank is incapacitated« says Jan Lemnitzer.

Detected by coincidence

The Solarwinds backdoor in Danmarks Nationalbank was open for seven months, before the attack was detected by coincidence by the American IT-security company Fire Eye. In an internal email that Version2 has obtained access to, sent to the central bank, it is stated by its supplier, that the vendor of the compromised software, Solarwinds Orion, considers it 'an impossible task to prove the absence of IOC’s (Indications Of Compromise).

Artiklen fortsætter efter annoncen

A backdoor is an IT-security breach, which allows attackers to access systems whenever they want to, and this specific backdoor was secretly installed in the otherwise trustworthy program, Solarwinds Orion, which controls advanced network systems. This is also why the Solarwinds-software is the perfect way to attack and compromise the servers of a company or an organization.

»If you have access to the Solarwinds software, it is generally rather easy to execute things on all the servers that the software has access to. If you have a program that you will infect the system with, Solarwinds can install it all over, with a single click from those who control Solarwinds”, explains Lucas Lundgreen, who as a white hat hacker at the company Banshie makes a living out of testing the security of companies.

The financial heart of Denmark

Every banking day, 639 billion Danish crowns (86 billion €) pass through Denmark’s financial infrastructure. All payments between Danish banks pass directly through the system ‘Kronos2,’ which is run by Danmarks Nationalbank.

Additionally, Kronos2 functions as a platform for all currency trades, retail payments and security trades. This makes the central bank a very attractive goal for the Russians, according to several IT-security researchers Version2 has contacted.

Artiklen fortsætter efter annoncen

»If you can stop the transactions made by Danmarks Nationalbank, as well as the programs that control them, all hell breaks loose. The Nationalbank is a very exciting goal for hackers,« says professor of IT security at IT University of Denmark, Carsten Schürmann.

Sent IT departments on overtime

However, according to Danmarks Nationalbank, there is nothing that suggests that the bank has been compromised beyond the so-called ‘Stage1’. Briefly explained, a Stage1 compromise means that a small piece of code in Danmarks Nationalbank’s IT system has informed the hackers that the back door is ready to be opened by them.

But the small piece of code was ready for more than seven months before the Danish central bank, and 18.000 other companies and organizations that was affected by the Solarwinds attack, realized. Because of this it is difficult to exclude that the suspected Russian hackers have not compromised the system more deeply and removed their tracks and traces afterwards.

Which is exactly what this specific hacker group did when they compromised the American Ministry of Defence, Microsoft and indirectly also the American National Bank, the Federal Reserve, using the same methods.

No comments from Danmarks Nationalbank

Danmarks Nationalbank does not wish to participate in an interview, but writes in an email to Version2:

»The Solarwinds attack also hit the financial infrastructure of Denmark. The relevant systems were contained and analyzed as soon as the compromise of Solarwinds Orion was known. Action was taken quickly and consistently in a satisfactory manner, and according to the analyzes performed, there were no signs that the attack has had any real consequences.«

Version2 has obtained partial insight in the forensics work that followed after the Nationalbank became aware of the compromisation.

Several worried IT security researchers and experts question the Danmarks Nationalbank’s handling of the case, in a following story by Version2, to be published later today.

For questions and comments, please contact mlo@ing.dk, Signal +45 6169 0917

3 kommentarer.  Hop til debatten
Denne artikel er gratis...

...men det er dyrt at lave god journalistik. Derfor beder vi dig overveje at tegne abonnement på Version2.

Digitaliseringen buldrer derudaf, og it-folkene tegner fremtidens Danmark. Derfor er det vigtigere end nogensinde med et kvalificeret bud på, hvordan it bedst kan være med til at udvikle det danske samfund og erhvervsliv.

Og der har aldrig været mere akut brug for en kritisk vagthund, der råber op, når der tages forkerte it-beslutninger.

Den rolle har Version2 indtaget siden 2006 - og det bliver vi ved med.

Log ind eller opret en bruger for at deltage i debatten.
30. juni 2021 kl. 07:28

Let servers have internet Access after………. I see no way that the bank can fulfill its purpose (including enabling transactions between danish banks) if they shut down their internet access…. If they did that, any hacker who wished to compromise the infrastructure would have achieved that goal very effectively. Hence it would probably be considered a gross over-reaction in this case (stage one). That being said, it’s people with a lot of guts who have to make the decision of not shutting down most of the danish banking infrastructure after a thing like solar winds goes public. It can’t be easy :)

29. juni 2021 kl. 23:40

One could almost belive that the Central Bank of Denmark have ceasted to existe based on the first paragraph.

The SolarWinds hack has been know for months, and it's kind of intereting to know why the Bank let servers have internetaccess after the hack was know - maybe the employees should have a refresh course in security ?

29. juni 2021 kl. 13:50

Hvor er dokumentationen for at angrebet er fra Rusland? Opfindelsen af Rusland som påstået angriber i Solarwind angrebet virker blot som endnu en omgang propaganda der virker til at have en tendens til at ramme de lande som har politiske ledere der ikke er tilhængere af politisk globalisering. Hvorfor mon der er det mønster? Trækker magtfulde globalister i trådene?