Menu
Browse

Cyber Incident Victim: Region Uppsala

Date:

Jan 2024

Location:

Sweden

Summary

Akira ransomware attackers compromised a single data center of the Finnish IT provider Tietoevry in Sweden, disrupting services for several of its customers. Region Uppsala reported that its economic systems and healthcare record system were affected, forcing the region to activate backup procedures and manual handling, which slowed administrative work but posed no immediate risk to patients. The outage also impacted Tietoevry’s payroll and HR platform Primula, affecting universities, colleges, government agencies and municipalities across Sweden, while other companies such as a cinema chain, retail firms and suppliers experienced similar service interruptions.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actor Type Location
1 actor Available to members Available to members

Description

On Friday night into Saturday morning of January 19‑20 2024, the Akira ransomware group launched an attack on one of Tietoevry’s data centers in Sweden, encrypting virtualization and management servers used for its enterprise‑managed cloud hosting service. Tietoevry confirmed that the attack was limited to one part of that single data center and did not affect other parts of its infrastructure. The ransomware incident was disclosed publicly on January 20, with Tietoevry stating that the malicious Akira ransomware activity occurred during the night of January 19‑20. The attack impacted Tietoevry’s services to several Swedish customers, including Region Uppsala.

Cyber Incident Image

As a consequence of the Tietoevry outage, Region Uppsala reported disturbances to its economic system and its healthcare journalsystem over the weekend. The outage also affected Tietoevry’s managed payroll and HR system, Primula, which is used by government agencies, universities and colleges across Sweden, thereby amplifying the impact on Uppsala County. Other Swedish organizations affected by the same Akira ransomware incident included the cinema chain Filmstaden, discount retailer Rusta, building materials supplier Moelven, and farming supplier Grangnården, some of which were forced to close stores while IT services were restored. For Region Uppsala the disruption was notable because, in addition to administrative systems, the region’s health care record system was also impacted.

Region Uppsala activated its pre‑prepared backup routines and initiated manual handling for affected healthcare and administrative processes, noting that there was no immediate risk to patients but that administrative tasks could take longer than usual. The region’s health and care director, Mikael Köhler, stated that lesser‑scale procedures were being employed within sjukvården and that the situation was being investigated to determine exactly which systems were affected and the extent of the impact. To manage a possible worsening of the incident, Region Uppsala activated its crisis leadership and maintained continuous dialogue with Tietoevry to coordinate resolution efforts. Private healthcare providers affected by the outage were to be notified as soon as possible.

Tietoevry responded by isolating the affected platform and began restoring infrastructure and services using a well‑tested, planned sequence intended to ensure correct handling of customer data, with the restoration timeline varying depending on the specific customer, the solutions involved and data‑restoring needs. The company indicated that customers would remain impacted as servers were brought back online and that it expected the problems could continue for the next few days. Both Tietoevry and Region Uppsala emphasized that they were working around the clock to minimize the impact and restore normal operations. No further details about the attack vector were provided beyond the confirmation that the Akira ransomware was responsible.

Sources
Sources available to members
2 sources