Cyber Incident Victim: Swedish Armed Forces
Date:
Jan 2012
Location:
United States of America
Summary
A Swedish military server was compromised due to a security flaw and exploited by hackers to conduct a large-scale distributed denial-of-service (DDoS) attack targeting major U.S. financial institutions, causing prolonged website outages. The attack overwhelmed bank websites with traffic by leveraging multiple vulnerable servers globally, including the breached Swedish defense system, with human error cited as a contributing factor. U.S. authorities attributed the campaign to Iranian actors, suggesting retaliatory motives, while the incident prompted the military to implement unspecified enhanced security measures to prevent recurrence. The attacks reportedly cost affected financial entities significant operational losses per hour during disruptions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In 2013, servers belonging to the Swedish Armed Forces were compromised and exploited to conduct distributed denial-of-service (DDoS) attacks against major US financial institutions, including Citigroup, Capital One, and HSBC. The attacks, which began in 2012 and persisted for months, overwhelmed the banks’ websites with massive volumes of internet traffic, causing outages that lasted several days for as many as 20 institutions. Swedish military spokesperson Mikael Abramsson confirmed that hackers exploited a flaw in one of their defense system servers to execute the attacks, describing the incident as a significant security failure. The attackers utilized a network of vulnerable servers worldwide, including the Swedish military server, to generate an internet traffic jam powerful enough to disrupt critical financial services. This attack method represented an escalation from traditional DDoS tactics, which typically relied on infected personal computers, by instead hijacking cloud-based datacenters to amplify computing power. US officials attributed the campaign to Iran, suggesting it was retaliation for economic sanctions and prior cyber operations targeting Iranian infrastructure.
The incident had substantial operational and financial consequences, with cybersecurity firm Neustar estimating losses of up to $100,000 per hour for affected banks during outages. The Swedish Armed Forces acknowledged the breach as a critical wake-up call, prompting immediate but unspecified security enhancements to prevent future compromises. IT security expert Dan Eriksson of the Swedish military cited human error as the root cause, emphasizing that oversight allowed the server vulnerability to persist. While the military declined to disclose technical details of its remedial measures, Abramsson asserted that similar attacks could no longer succeed against their systems. The event highlighted the risks of state-sponsored cyber operations leveraging third-party infrastructure, as the Swedish servers became unwitting participants in a geopolitical conflict. The prolonged disruption to US banking services underscored the scalability of cloud-based DDoS tactics and their potential to inflict widespread economic damage.