Cyber Incident Victim: Uppsala, Uppsala län, Sweden
Date:
Jan 2024
Location:
Sweden
Summary
A ransomware attack targeting IT provider Tietoevry disrupted systems for multiple Swedish entities, including Uppsala County's healthcare and economic operations. The Akira ransomware gang exploited unsecured Cisco VPN access to encrypt virtualization servers in a Swedish data center, causing outages in healthcare record systems, payroll services, and administrative functions. While backup routines minimized immediate patient risks, manual processing slowed administrative tasks. The incident also affected universities, retailers, and government agencies relying on Tietoevry's cloud hosting and Primula HR platform. Service restoration efforts are ongoing, with isolation of compromised systems preventing wider infrastructure impact.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 19-20, 2024, Finnish IT services provider Tietoevry suffered a ransomware attack attributed to the Akira group, targeting a specific section of one of its Swedish data centers. The attack encrypted virtualization and management servers critical to Tietoevry’s enterprise cloud hosting services, disrupting operations for multiple Swedish clients. Region Uppsala, a healthcare and administrative authority in Sweden, experienced significant IT system outages affecting economic systems and healthcare record platforms. The incident forced Region Uppsala to activate pre-established contingency routines, including manual administrative processes for healthcare services, though officials confirmed no immediate patient safety risks. Tietoevry isolated the compromised infrastructure to prevent lateral spread and initiated restoration efforts using a "well-tested methodology," prioritizing data integrity during recovery.
The attack’s scope extended beyond healthcare systems, impacting Sweden’s Primula HR and payroll management platform—used by government agencies, municipalities like Uppsala County and Vellinge, and universities including Karolinska Institutet and Lunds Universitet. Private sector entities faced operational disruptions: Filmstaden cinemas suspended online ticket sales, retail chain Rusta experienced outages, and farming supplier Grangnården temporarily closed stores. Tietoevry confirmed the Akira ransomware’s involvement on January 22, noting the attackers exploited vulnerabilities in an unspecified infrastructure component. Region Uppsala maintained continuous dialogue with Tietoevry while mobilizing its crisis management team to monitor potential escalation. Recovery timelines varied across customers due to differences in system complexity and data restoration requirements, with disruptions projected to persist for several days post-attack. Finnish cybersecurity authorities had previously linked Akira to attacks targeting unpatched or weakly secured Cisco VPNs lacking multi-factor authentication, though no specific attack vector was confirmed in this incident.