Cyber Incident Victim: Eduskunta
Date:
Dec 2020
Location:
Finland
Summary
Hackers breached the Finnish Parliament's internal IT system, gaining unauthorized access to email accounts of multiple members of Parliament. The intrusion, discovered by IT staff and investigated as suspected espionage, potentially aimed to benefit a foreign state or harm national interests. While no system damage occurred, the incident was deemed serious due to the target's significance. International cooperation supported the investigation, mirroring a similar attack on Norway's parliamentary email system earlier that season, which was attributed to a Russian-linked cyber-espionage group known for credential-based attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late 2020, the Finnish Parliament experienced a cybersecurity breach in which unauthorized actors infiltrated its internal IT system and accessed email accounts belonging to multiple members of Parliament (MPs). The intrusion occurred during the fall of 2020 but was not detected until December of that year, when the Parliament’s IT personnel identified the compromise. The Finnish Central Criminal Police (KRP) launched a criminal investigation into the incident, classifying it as a deliberate attack rather than an accidental security failure. KRP Commissioner Tero Muurman confirmed the breach did not damage the Parliament’s IT infrastructure but emphasized its severity due to the high-profile nature of the target. Investigators disclosed that the attack impacted more than one individual, though the exact number of compromised accounts remained undisclosed to avoid interfering with the ongoing probe. Authorities treated the incident as a case of suspected espionage, with Muurman stating one hypothesis involved foreign state actors stealing information to either benefit their own nation or undermine Finland’s interests. The KRP noted international collaboration was part of the investigation but provided no specifics about participating entities or methodologies.
The breach drew parallels to a contemporaneous attack on Norway’s parliamentary email systems, which Norwegian authorities attributed to APT28, a hacking group associated with Russia’s military intelligence agency (GRU). While Finnish officials did not formally link their incident to any specific threat actor, cybersecurity analysts observed similarities in the targeting of legislative bodies and the compromise of email accounts. Microsoft research published around the same period highlighted APT28’s increased use of credential stuffing and brute-force attacks to infiltrate email systems, though no direct technical evidence connected these tactics to the Finnish breach. The Finnish government underscored the incident’s exceptional seriousness due to both the sensitivity of the targeted data and the institutional stature of the Parliament. No operational disruptions or data destruction resulted from the intrusion, but the unauthorized access to lawmakers’ communications raised concerns about potential information exploitation. The KRP maintained its investigation focused on determining the scope of data exposure, the identity of the perpetrators, and the geopolitical motivations behind the attack.