Cyber Incident Victim: Svenska Dagbladet
Date:
Mar 2016
Location:
Sweden
Summary
A large-scale distributed denial-of-service attack targeted multiple Swedish media outlets, including Svenska Dagbladet, alongside a ferry company during a weekend disruption. The coordinated attacks, originating from hijacked computers potentially linked to eastern regions, overwhelmed services following threats accusing the organizations of spreading false propaganda. Most affected outlets restored operations after sustained efforts, with authorities collaborating nationally and internationally to investigate the incident. Police described the attack as more sophisticated than previous campaigns, involving significant coordination and prompting engagement with cybersecurity agencies. The incident caused widespread service interruptions but did not result in permanent damage to the targeted entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 19, 2016, at approximately 19:30 local time, multiple Swedish media organizations experienced simultaneous distributed denial-of-service (DDoS) attacks that disrupted their online services. The targeted entities included major newspapers Dagens Nyheter, Expression, Svenska Dagbladet, Aftonbladet, Sydsvenskan, Helsingborgs Dagblad, and financial publication Dagens Industri, along with ferry operator Destination Gotland. The attacks followed a deleted tweet threatening media and government outlets for allegedly spreading "false propaganda." System administrators from affected organizations worked through the weekend to restore services, with most reporting successful mitigation efforts despite the attack's intensity. The Industry Association Newspaper Publishers in Sweden characterized the incident as "very severe," highlighting its operational impact on news dissemination.
Sweden's Police Cybercrime Agency, led by Anders Ahlqvist, initiated an investigation involving domestic and international partners to trace the attack sources. Technical analysis indicated compromised computers were leveraged in the assault, with preliminary geographical references suggesting origins "to the east"—though authorities cautioned against definitive attribution to Russia or any specific actor due to potential obfuscation techniques. The coordination level exceeded that observed in prior 2012 DDoS incidents against Swedish government and private entities. Civil Contingencies Agency collaborated with law enforcement, while targeted organizations focused on restoring public access to digital platforms. Service disruptions varied across outlets, with no confirmed data breaches or permanent damage reported beyond temporary accessibility issues during the attack window.