Cyber Incident Victim: Skatteverket

On May 4, 2023, the Swedish Tax Agency, Skatteverket, became the target of a cyberattack. The attack was initiated against the agency's public website, skatteverket.se. The incident involved multiple attack methods, though the specific techniques employed by the threat actors were not publicly detailed. In immediate response to the attack's commencement, the agency's IT director, Peder Sjölander, directed the implementation of a significant containment measure. As an immediate action, all web traffic originating from outside the Scandinavian region was blocked from accessing the Skatteverket.se domain. This action was taken to sever a potential vector for the attack and to isolate the targeted systems from a large portion of the external internet.

The cyberattack had a direct and severe impact on the availability of the agency's digital services. As a direct consequence of the incident, public access to several of Skatteverket's essential e-services was disrupted. The attack made it difficult for users to reach these online platforms, impairing the agency's ability to serve the public and businesses through its digital channels. To further limit the attackers' capabilities and to protect the integrity of the website's infrastructure, an additional defensive measure was enacted. The search function on the Skatteverket website was deliberately restricted. This action was taken to reduce the attack surface and to prevent the potential exploitation of that specific feature as part of the ongoing malicious activity.

The disruption to e-services represented a significant degradation of the agency's normal operational capacity, affecting citizens and entities that rely on these digital platforms for tax-related matters. The public-facing website serves as a primary portal for information and service access, and its impaired functionality hindered the public's ability to interact with the tax authority. The blocking of international traffic, while a containment step, also had the consequence of limiting legitimate access to the website for users located outside of Scandinavia, including Swedish citizens abroad and international businesses. The response actions, including the geographic blocking and the restriction of the search engine, were indicative of a defensive strategy focused on rapid containment to prevent further escalation or damage to systems.

The incident was publicly confirmed by the agency on its official website through a press release dated May 4, 2023, the same day the attack began. The public statement served to acknowledge the ongoing situation and to inform users of the service disruptions they were experiencing. The announcement provided a basic factual account of the event, confirming the cyberattack and outlining the initial response measures taken. The statement did not speculate on the origin or identity of the threat actors behind the attack. The primary focus of the initial communication was to convey the immediate impact on services and the steps taken to secure the systems in response to the malicious activity. The public response also included directing users towards alternative, unaffected services, specifically highlighting the agency's live web seminars on taxes and entrepreneurship as remaining available and operational during the incident.