Cyber Incident Victim: Mörbylånga Municipality
Date:
Dec 2022
Location:
Sweden
Summary
A cyberattack targeting two Swedish municipalities prompted a crisis declaration after compromising their shared IT systems, disrupting essential services for approximately 25,000 residents. The intrusion led to internet disconnections of municipal systems, rendering citizen services—including email, healthcare, and critical infrastructure operations like water, electricity, and waste management—unavailable, forcing healthcare providers to rely on manual processes. External responders assisted containment efforts, while preliminary findings indicated unauthorized data downloads, though the specific nature of the data and attack remained unclear. Recovery was anticipated to take several days, with municipal companies also experiencing operational limitations due to precautionary system shutdowns.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The cyberattack impacting the Swedish municipalities of Borgholm and Mörbylånga was discovered late on Monday, December 12, 2022, triggering a declared crisis situation across both jurisdictions. The intrusion targeted the joint IT system shared by the two municipalities, which collectively administer the island of Öland and serve approximately 25,000 residents. Municipal staff worked overnight to disconnect all official IT systems from the internet as a precautionary containment measure. External incident response specialists were engaged to assist with managing the attack, according to Borgholm Municipal Manager Jens Odevall. Immediate technical impacts included the complete takedown of Mörbylånga's municipal website, while Borgholm's externally hosted site remained accessible. Critical citizen-facing services were disrupted across both municipalities, including email communications and digital healthcare systems, forcing healthcare providers to revert to paper-based processes for which existing emergency protocols existed. Odevall confirmed observing network traffic indicating unauthorized data exfiltration, though the specific nature and sensitivity of compromised data remained unverified at the initial stage.
Municipal companies providing essential infrastructure services were affected, with Bornholm Energi—responsible for water, electricity, heat, waste, and sewage management—publicly acknowledging system shutdowns that severely limited customer communication channels. The company's website displayed warnings about email unreachability and reduced telephone availability as direct consequences of the security measures. Odevall declined to characterize the attack as either extortion or sabotage during initial statements to local media, emphasizing that forensic analysis was ongoing through collaboration with Swedish national authorities. Restoration timelines were projected to span multiple days, with municipal operations expected to experience prolonged disruptions. No threat actor attribution or specific attack vector details were disclosed publicly during the immediate response phase, though contextual references were made to contemporaneous ransomware incidents affecting European municipalities like Antwerp, Belgium. The joint municipal administration maintained crisis protocols while investigators worked to determine the full scope of data exposure and operational impacts.