Cyber Incident Victim: Helsingborgs Dagblad
Date:
Mar 2016
Location:
Sweden
Summary
A large-scale distributed denial-of-service attack targeted multiple Swedish media organizations, including Helsingborgs Dagblad, disrupting services over a weekend. The coordinated assault originated from hijacked computers, with preliminary indications suggesting eastern origins, though authorities cautioned against premature attribution. Attackers accused the outlets of spreading false propaganda, referencing a since-deleted social media threat. Most affected organizations restored functionality during the incident, which security officials characterized as more sophisticated than previous national cyberattacks. Law enforcement engaged domestic and international partners to investigate the attack sources, while industry representatives described the event's severity as unprecedented. The incident also impacted non-media entities such as a regional ferry operator.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 19, 2016, beginning at approximately 19:30 local time, multiple Swedish media outlets including Helsingborgs Dagblad, Dagens Nyheter, Expression, Svenska Dagbladet, Aftonbladet, Sydsvenskan, and financial publication Dagens Industri suffered a coordinated distributed denial-of-service (DDoS) attack. The attack disrupted online services, forcing several news sites offline during the incident. A deleted tweet prior to the attack had threatened media and government outlets for allegedly spreading "false propaganda," though no direct claim of responsibility was verified. The Industry Association Newspaper Publishers in Sweden characterized the attack as "very severe" in scale. Ferry operator Destination Gotland also reported being impacted by the same wave of attacks, indicating broader targeting beyond media organizations. Swedish authorities, including the Police Cybercrime Agency and the Civil Contingencies Agency, initiated investigations into the incident.
Most affected media organizations restored services after mitigating the attacks, though operational disruptions persisted throughout the weekend. Anders Ahlqvist of Sweden’s Police Cybercrime Agency confirmed the attacks originated from hijacked computers, with preliminary technical indicators suggesting possible Eastern European or Russian involvement, though he cautioned against definitive attribution due to potential obfuscation tactics. The agency collaborated with national and international partners to trace attack sources, noting the attackers demonstrated higher coordination compared to previous DDoS campaigns targeting Swedish entities in 2012. No data breaches or permanent system compromises were reported by the media outlets. The incident highlighted vulnerabilities in critical digital infrastructure but concluded without further escalation or additional public threats following the initial disruption period.