Cyber Incident Victim: Finansinspektionen (FI)

On June 28, 2023, the pro-Russian hacktivist group NoName057(16) executed a distributed denial-of-service (DDoS) attack against the website of the Swedish Financial Supervisory Authority, Finansinspektionen (FI). This incident was a departure from the group's primary campaign targeting Ukrainian financial institutions, which had been ongoing for the preceding four days. The attack on the Swedish authority was not premeditated in the group's original plan for that day but was instead conducted as a spontaneous gesture of solidarity with another threat actor group known as Anonymous Sudan.

The motivation for this shift in targets was explicitly stated by NoName to be a direct response to events occurring in Sweden that same day. The group cited the Swedish police's permission for protesters to burn a Quran in Stockholm on Eid al-Adha as the immediate catalyst for their action. In public posts on their encrypted Telegram channel, the group expressed anger at this event. Furthermore, NoName linked their attack to a broader geopolitical stance, additionally citing that Swedish authorities "also help Ukrainian terrorists" as a contributing factor in their decision to target Sweden.

The attack employed the group's signature DDoS method, a technique they have consistently used to overwhelm target websites with a flood of traffic requests. The objective of this method is to render the online services inaccessible, effectively knocking the website offline. In their public claim of responsibility, NoName stated they had "killed the website of the financial supervision of Sweden," indicating they successfully disrupted access to Finansinspektionen's online presence.

This incident represented a notable development in the tactics and publicly stated motivations of Russian-affiliated cyber groups. While NoName's usual focus was on NATO countries supporting Ukraine, their alignment with Anonymous Sudan's Islamist-focused grievances marked the first observed instance of a Russian-linked group incorporating Islamic affairs into their motivational doctrine. Security analysts have assessed that Anonymous Sudan, despite its name, is likely operated by Russian sympathizers or backed by the Russian government, which provides a plausible explanation for the collaboration and shared targeting between the two groups.

The attack on Finansinspektionen was part of a small, temporary diversion aimed at two Swedish entities; the other target was the website of the Swedish railway carrier SJ AB. This limited campaign against Sweden was short-lived, as NoName quickly resumed its primary focus on the Ukrainian financial sector immediately afterward. The group's main operation since June 27th had involved relentless daily DDoS attacks against nearly a dozen major Ukrainian banks. Their stated goal for the Ukrainian campaign was to disrupt the nation's online banking internet infrastructure, specifically targeting the websites of major commercial banks, as well as authorization services, login portals, customer service systems, and loan processing services.

The impact of the DDoS attack on the Swedish Financial Supervisory Authority's website was a service interruption, making the site unavailable to the public and stakeholders for a period of time. The group's claim of having "killed" the website suggests a significant outage. The specific duration of the downtime, the technical scale of the attack, or any collateral damage beyond website availability were not detailed in the public claims or reporting. No evidence of data breach, data theft, or system infiltration beyond the temporary denial-of-service was indicated.

There is no publicly available information detailing the specific response actions taken by Finansinspektionen to the attack, such as their incident detection methods, immediate mitigation steps, or the involvement of national cybersecurity authorities. The response would typically involve efforts to identify the source of the malicious traffic, implement filtering or rate-limiting measures to mitigate the flood of requests, and restore normal service availability. The incident did not appear to cause long-term disruption to the authority's functions, as it was a typical DDoS attack aimed at temporary disruption rather than permanent damage.

The incident fits into the broader pattern of NoName's activities since its emergence around the start of the Russian invasion of Ukraine. The group has primarily focused on targeting NATO member nations allied with Ukraine, recently launching attacks against critical infrastructure in Poland, Denmark, and Lithuania, the French parliament, and the financial and aviation sectors in Switzerland. In a separate campaign earlier in June, the group had also targeted some of the largest European ports in Italy, Germany, Spain, and Bulgaria. Their modus operandi relies heavily on recruiting volunteer hackers, having previously advertised cryptocurrency payouts in exchange for participation in their DDoS campaigns, which allows them to generate the substantial traffic volume required for their attacks.