Cyber Incident Victim: Kammarkollegiet
Date:
May 2023
Location:
Sweden
Summary
A pro-Russian group claimed responsibility for a series of DDoS attacks targeting numerous Swedish government authorities, citing the expulsion of Russian diplomats and the Nord Stream investigation as motives. The attacks caused service disruptions, making several official websites slow or completely unreachable for periods of time. The incident impacted Kammarkollegiet, whose sub-sites were affected after their provider was attacked. One agency described the attack as unusually sophisticated and persistent, lasting for several hours.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In the final days of April 2023 and extending into the first week of May, a significant number of Swedish government agencies were subjected to a series of distributed denial-of-service (DDoS) attacks. These attacks, characterized as overload attacks, targeted the public-facing websites of several central authorities. The primary effect of these incidents was to render the agencies' websites slow, unresponsive, or completely unreachable for members of the public attempting to access them. The attacks were not assessed to pose a direct threat to the internal operations or data security of the affected agencies but were disruptive to their public digital services.
A pro-Russian group, operating on the Telegram messaging platform and boasting over 40,000 followers, publicly claimed responsibility for the coordinated attacks. The group's stated motivation was a direct response to Swedish foreign policy actions it viewed as confrontational towards Russia. Specifically, the group cited Sweden's expulsion of five Russian diplomats, who were identified by the Swedish Ministry for Foreign Affairs as intelligence officers operating under diplomatic cover. This expulsion was reportedly conducted in the wake of a documentary series by Uppdrag granskning titled "Skuggkriget" (Shadow War). The group also pointed to the ongoing Swedish investigation into the sabotage of the Nord Stream pipelines as a contributing reason for their offensive cyber actions.
The Swedish Security Service (Säkerhetspolisen) confirmed awareness of the incidents, acknowledging that a number of overload attacks had been carried out against Swedish institutions. The security service, however, declined to provide further details regarding its intelligence assessment or its specific operational response to these events, stating that such information was not something it had the ability to elaborate on publicly.
Among the specifically named affected agencies was Skatteverket, the Swedish Tax Agency. The agency described the attack it faced as unusually sophisticated and persistent. According to their public statements, the attack lasted for a continuous period of six hours. The attackers employed various methods in their assault, necessitating a dynamic defensive response. A representative from Skatteverket, Peder Sjölander, described the event as a game of "cat and mouse," where the agency would implement countermeasures and the attackers would subsequently adjust their tactics to circumvent them. The sustained and adaptive nature of the attack was noted as a novel experience for the agency, leading to the tax website becoming slow and difficult to access throughout the duration of the incident.
Kammarkollegiet, the Legal, Financial and Administrative Services Agency, was also impacted. The agency reported that two of its subsidiary websites were affected. This disruption was not due to a direct attack on Kammarkollegiet's own infrastructure but was a secondary consequence of a DDoS attack targeting their provider, Sitevision Control. The attack on this third-party service provider cascaded to impact the availability of the dependent agency sites.
The website of the Swedish Parliament, the Riksdagen, was another confirmed target earlier in the same week. The attack resulted in the parliament's website being completely down and unavailable to visitors. A press spokesperson for the Riksdagen confirmed the occurrence of the attack but refrained from offering any additional commentary on the matter.
Försvarsmakten, the Swedish Armed Forces, reported that it too had been subjected to an attack. However, due to its robust protective measures, the attack did not result in any significant impact on its operations or systems. The armed forces' communications department emphasized that such attack attempts are a continuous occurrence and that their defenses remained strong throughout this particular incident, preventing any major disruption.
The collective impact of these attacks was a temporary but widespread degradation of public access to critical government digital services. The incidents highlighted a coordinated effort to disrupt governmental online presence as a form of protest or retaliation. The response from the targeted entities involved implementing technical countermeasures to mitigate the attacks and restore service availability, with some agencies like Skatteverket engaging in a real-time technical battle to counteract the evolving methods of the attackers. The widespread nature of the attacks across multiple separate agencies suggests a coordinated campaign rather than isolated incidents.