Cyber Incident Victim: Finansministeriet
Date:
Jan 2023
Location:
Denmark
Summary
Finansministeriet's website experienced significant instability due to a distributed denial-of-service (DDoS) attack, confirmed by Statens IT, which manages the site. The attack caused intermittent outages before service stabilized. While authorities did not initially attribute the incident, the group Noname (also known as DDOSia), linked to the Russian cyber group Killnet, publicly referenced the ministry's site as inaccessible via Telegram. Killnet had previously claimed responsibility for DDoS attacks targeting multiple Danish financial institutions, including Danske Bank and Arbejdernes Landsbank, though a direct connection between these incidents and the ministry's outage remained unconfirmed by officials at the time. Several other banks and financial service providers also reported disruptions from similar attacks during this period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 11, 2023, Finansministeriet’s website, fm.dk, experienced intermittent availability due to a distributed denial-of-service (DDoS) attack. The site fluctuated between operational and inaccessible states throughout the day, prompting confirmation from the ministry’s press service, though they declined to specify the cause or potential links to concurrent attacks on Danish financial institutions. Statens IT, responsible for hosting fm.dk, identified the incident as an “overbelastningsangreb” (overload attack) targeting the site. By 16:09, Statens IT reported the attack had subsided, restoring stable operations. The organization could not immediately attribute responsibility or confirm connections to recent DDoS campaigns against banks. Concurrently, the group Noname (DDOSia) highlighted fm.dk’s inaccessibility via Telegram, as noted by Danish media. Noname operates in parallel with Killnet, a Russian-aligned cyber group that claimed responsibility for prior DDoS attacks against EU entities in 2022–2023 and specifically acknowledged targeting Danske Bank in the same timeframe.
The incident occurred amid widespread disruptions to Denmark’s financial sector, with Arbejdernes Landsbank, Nationalbanken, Danske Bank, Sydbank, and seven smaller banks or IT providers reporting DDoS-related outages in preceding days. Arbejdernes Landsbank publicly suspected Killnet’s involvement in its incident, aligning with Killnet’s claim against Danske Bank. Statens IT and Finansministeriet did not confirm whether fm.dk’s attack originated from the same actors, though technical parallels and temporal proximity suggested potential coordination. No data breaches or system compromises beyond service interruptions were disclosed. The attack’s primary impact was restricted to fm.dk’s public-facing availability, with no reported spillover to internal systems or secondary services. Restoration efforts focused on mitigating traffic overloads, culminating in resumed normal operations by late afternoon.