Date: 30/01/2024
Where:
Sweden/Scandinavia
Finland/Broader Nordic region
Who’s involved:
Swedish government, critical infrastructure, Central Bank, and various private entities
Finnish software company, Tietoevry Oyj
Akira (Conti) Ransomware Group, other Russian threat actors
What happened:
From 19-23 January, Swedish government agencies and businesses were disrupted by a ransomware attack believed to have been carried out by Russian hackers.
The ransomware attack allegedly originated within servers owned by Tietoevry Oyj, a Finnish software company that conducts significant business in Sweden through their cloud services. Tietoevry Oyj has since attributed the incident to the Akira Ransomware group.
Security researchers have established that the Akira Ransomware group has significant ties to the now-dissolved Conti Ransomware group, a Russian threat actor that targeted major business and government service sectors for profit.
This attack affected 120 government agencies and more than 60,000 employees, causing significant disruption to services like online purchases at the country’s biggest cinema chain and some department stores and shops.
Among the services impacted was Sweden’s central Riksbank. In a statement published on 26 January, the bank stated that, "A restricted number of customer situations will require additional restoration actions that are being planned in close dialogue with those customers."
On January 26th, Swedish Minister of Civil Defense, Carl-Oskar Bohlin, held a press conference about the incident, stating that the scope of the event still isn’t entirely known, and several systems are still down.
So far, the Swedish government hasn’t confirmed attribution to any specific entity.
Analysis:
The incident follows a trend of increased cyber attacks allegedly from both state and non-state Russian threat actors against Nordic targets since Sweden and Finland expressed an interest in joining the NATO alliance.
This is the most significant reported cybersecurity incident in Scandinavia since attacks on Danish power companies in May of 2023. Several publications attributed that incident to Russian military threat actors, Sandworm.
While it’s still uncertain if this particular attack was politically motivated, various pro-Russian threat actors, such as NoName057(16), have explicitly attacked Sweden for its strategic and political decisions as recently as January 5th.
This incident is far larger than attacks previously attributed to the Akira Ransomware group. The group, active since March 2023, typically targets businesses with 200 or less employees. This incident indicates an escalation in capability.
Akira, as a threat actor, has demonstrated numerous connections to the now-defunct Conti ransomware gang. Conti was known for choosing targets that aligned with Russian political and strategic objectives, and voicing pro-Russian positions against Ukraine.
The attacks came shortly after the Turkish Parliament approved Sweden’s membership in the NATO alliance.
The same week as the attacks, Hungary’s Victor Orban, the final holdout against Sweden’s accession, also stated that he would approve a vote for Swedish NATO membership in his own country’s Parliament.
The Nordic states have enacted a number of inter-state protective measures in their shared cyberspace. Until tighter restrictions were enacted in August of 2023, a number of their largest and most essential organizations shared data infrastructure with Russian corporations, such as Yandex.
Conclusion:
The scale and the critical nature of the affected infrastructure in this attack are particularly significant. Akira’s previous attacks were known for their focus on data exfiltration and extortion, but the widespread disruption of essential services in Sweden, including government and healthcare systems, indicates an escalation in the group's operational capabilities.
While the Akira group's signature tactics and techniques were evident in this incident, the scale and impact represent a significant escalation in their operations. While there has been speculation that this escalation could have been from an outside influence, it’s safer to assume that ransomware as a whole has just become more dangerous when utilized in a cloud service context. This evolution in Akira's modus operandi could signal a new phase in their cybercriminal activities, warranting close monitoring and robust defensive measures by organizations globally.
It’s also noteworthy that the timing of these attacks correlates so closely with renewed interest in Sweden’s acceptance into NATO. Provided this speculation is true, this would not be the first time that Russian political and strategic escalations were carried out by deniable cyber-criminal assets.
Comments