Cyber Incident Victim: TietoEVRY
Date:
Jan 2024
Location:
Sweden
Summary
A ransomware attack targeted a Swedish data center operated by TietoEVRY, partially disrupting services for some customers in Sweden. The company immediately isolated the affected platform, preventing further spread within its infrastructure. Recovery efforts involved internal and external specialists working continuously, though restoration timelines remained uncertain. The incident, reported to police as a criminal act, required a methodical approach to restore infrastructure and customer data, with varying timelines based on individual customer needs and solutions. TietoEVRY maintained ongoing communication with impacted customers throughout the process.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the night of January 19-20, 2024, a ransomware attack partially compromised one of Tietoevry’s multiple datacenters in Sweden, disrupting services for an unspecified number of customers in the country. The company detected the incident promptly and initiated its highest-level response protocols to investigate, mitigate, and resolve the attack. Immediate containment measures included isolating the affected platform to prevent lateral movement within Tietoevry’s infrastructure, which successfully confined the ransomware to one segment of the targeted datacenter. Service disruptions manifested at varying severity levels across impacted customers, though the company did not publicly identify specific clients or detail the exact nature of degraded services. Tietoevry acknowledged the operational inconvenience caused to customers through a public apology on January 20 while emphasizing ongoing coordination with relevant local authorities. Initial communications refrained from estimating recovery timelines due to the operational complexity of restoring affected systems.
By January 21, Tietoevry confirmed the attack’s scope remained limited to the originally compromised platform, with no evidence of propagation to other datacenters or business units. A specialized team of internal and external cybersecurity experts worked continuously across multiple parallel tracks to restore infrastructure according to a predefined, methodical recovery process designed to ensure proper handling of customer data. The restoration sequence accounted for solution-specific variables and data recovery requirements, resulting in differing timelines across affected customers. Police authorities were notified given the criminal nature of ransomware attacks, though no threat actor details or ransom demands were disclosed. Senior leadership, including Market Sweden Head Venke Bordal, maintained active dialogue with directly impacted customers regarding restoration progress while reiterating the priority of service security and continuity. The company maintained high-alert status with continuous monitoring but did not provide a definitive resolution timeline as restoration efforts continued beyond the initial 48-hour window.