Cyber Incident Victim: Expressen
Date:
Mar 2016
Location:
Sweden
Summary
A large-scale distributed denial-of-service attack targeted multiple Swedish media outlets, including Expressen, Dagens Nyheter, and Svenska Dagbladet, alongside a ferry company, causing significant service disruptions over a weekend. The attacks, originating from hijacked computers with possible eastern European links, began Saturday evening and were described as highly coordinated and severe compared to prior incidents. A deleted tweet threatening media and government outlets for "spreading false propaganda" preceded the incident. Most affected organizations restored services, while Swedish authorities collaborated with national and international partners to investigate the attack sources, cautioning against premature attribution due to potential coordination from other locations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 19, 2016, a coordinated distributed denial-of-service (DDoS) attack disrupted multiple Swedish media outlets and a ferry operator, beginning at 19:30 local time. The targeted news organizations included Expressen, Dagens Nyheter, Svenska Dagbladet, Aftonbladet, Sydsvenskan, Helsingborgs Dagblad, and financial publication Dagens Industri. The attack rendered their online services inaccessible, with the threat actor’s motivation linked to a since-deleted tweet accusing these outlets of spreading "false propaganda." Ferry company Destination Gotland also experienced service disruptions as part of the same attack wave. Swedish authorities, including the Police Cybercrime Agency and the Civil Contingencies Agency, initiated investigations while affected organizations worked to restore operations. Most media outlets successfully mitigated the attacks and restored services during the incident period.
The scale and coordination of the attack exceeded previous DDoS incidents against Swedish targets in 2012 according to Anders Ahlqvist of Sweden's Police Cybercrime Agency, who described the attackers as using hijacked computers potentially located "to the east"—a geographic reference suggesting possible Russian involvement, though authorities cautioned against definitive attribution due to potential obfuscation techniques. The Industry Association Newspaper Publishers in Sweden characterized the incident as "very severe" in impact. Law enforcement engaged both national and international partners to trace the attack sources, though no specific threat actor group or technical details about the attack vectors were publicly confirmed during the immediate response phase. Service restoration efforts continued through the weekend as organizations reassembled their systems under sustained pressure.