Cyber Incident Victim: LIFA A/S
Date:
Mar 2022
Location:
Denmark
Summary
A Danish land surveying company, LIFA A/S, suffered a severe cyberattack attributed to the Russian ransomware group Conti, causing extensive operational disruptions and temporary incapacitation of its systems. The attack impacted Borger.dk's address registration services due to LIFA's role as an IT provider, though functionality was later restored. Conti, known for ties to the Russian state and professional capabilities, demanded ransom, which the company refused. Investigations confirmed no compromise of citizen address data but are assessing potential theft of other corporate information. The incident occurred amid heightened cyber threats against Danish critical infrastructure linked to geopolitical tensions, prompting increased security measures across Danish businesses and sectoral alerts from industry groups, while authorities maintained existing risk assessments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around March 5, 2022, Danish land surveying company LIFA A/S based in Odense suffered a severe cyberattack attributed to the Russian ransomware group Conti. The attack disrupted critical operations, rendering large portions of the company nonfunctional, including its website. LIFA’s role as a subcontractor providing IT tools for Borger.dk—Denmark’s central digital platform for citizen services—caused collateral damage, temporarily disabling address-change registration functionality on Borger.dk. Administrerende Direktør Thomas Boding confirmed the attack’s severity, stating the company was “largely shut down” with no immediate timeline for full recovery. LIFA’s internal IT department identified Conti as the perpetrator, a finding corroborated by their insurer Codan and cybersecurity partner. Conti, known for ties to the Russian state and classified by experts as highly professional, demanded ransom, but LIFA refused negotiations or payment.
The incident impacted Danish infrastructure due to LIFA’s subcontracting relationships with utility providers across municipalities and regions, though Boding characterized the targeting as opportunistic rather than directed at LIFA specifically. Services resumed by Tuesday, March 8, restoring Borger.dk functionality, with LIFA assuring no citizen address data was compromised. Investigations into potential data exfiltration from other systems remained ongoing. Concurrently, Nordea Bank experienced a separate DDoS attack causing slowed online banking services, though attribution remained unconfirmed. Danish businesses, warned by experts like CSIS’s Peter Kruse and IT University’s Carsten Schürmann, elevated cyber defenses, with Dansk Erhverv reporting increased attack attempts and critical infrastructure providers activating highest-alert protocols. Center for Cybersikkerhed maintained its June 2021 “low threat” assessment for destructive cyberattacks against Denmark despite sectoral concerns, citing adversary intent rather than capability gaps.