Cyber Incident Victim: SAS
Date:
Feb 2023
Location:
Sweden
Summary
A hacker group identifying as Anonymous Sudan demanded $3 million from Scandinavian Airlines to cease distributed denial-of-service attacks targeting its websites and mobile app, escalating from an initial $3,500 demand. The attacks disrupted online services, temporarily exposing some customers' contact details and itineraries, while the group falsely justified its actions as retaliation for Quran burnings in Sweden. Researchers linked Anonymous Sudan to Russian-aligned operations aimed at undermining Sweden's NATO bid, noting its affiliation with the pro-Russian group Killnet and broader targeting of critical infrastructure in nations supporting Ukraine, including airports, hospitals, and financial systems. Despite its unsophisticated methods, the group's extortion attempts and disruptive attacks highlighted risks to essential services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2023, Scandinavian Airlines (SAS) became the target of distributed denial-of-service (DDoS) attacks by the hacker group Anonymous Sudan. The group initially claimed political motivations, attributing the attacks to protests involving Quran burnings in Stockholm during January 2023. These cyberattacks disrupted SAS’s online services, including its website and mobile application. Some customers attempting to access the SAS mobile app were inadvertently redirected to other users’ accounts, exposing personal contact information and flight itineraries. The operational impact persisted for at least five days, according to Anonymous Sudan’s public statements. On February 1, 2023, the group escalated its demands through a Telegram channel, issuing a ransom note requiring SAS to pay $3 million to halt the attacks—a significant increase from an initial demand of $3,500. The group threatened continued disruption, warning of consequences for SAS and its customers if the payment was not made. SAS acknowledged website-related issues in responses to customer complaints on Facebook, stating it was working to resolve the problem but did not provide technical details or confirm the ransom demand publicly. At the time of Article 1’s publication, the SAS website remained operational despite the claimed attacks.
Anonymous Sudan expanded its targeting beyond SAS to include Swedish public television, German airports, Danish hospitals, Israeli financial institutions, and a missile warning system. Cybersecurity firms Truesec and Trustwave analyzed the group’s activities, concluding it was likely a Russian information operation aimed at undermining Sweden’s NATO application. Evidence included the group’s Telegram account listing Russia as its location and its alignment with pro-Russian threat actor Killnet. Trustwave further identified financial motives, citing attempts by Anonymous Sudan to sell data stolen from Air France. Although the group primarily executed unsophisticated DDoS attacks, researchers emphasized the risks posed to critical infrastructure sectors such as aviation, healthcare, and emergency services. SAS did not disclose containment measures, restoration timelines, or data breach specifics in available source material. The incident highlighted operational disruptions, potential data exposure for customers, and reputational impacts for the airline amid ongoing cyber hostilities linked to geopolitical tensions.