Cyber Incident Victim: Sydsvenskan
Date:
Mar 2016
Location:
Sweden
Summary
A large-scale distributed denial-of-service attack targeted multiple Swedish media outlets, including Sydsvenskan, and a ferry company, causing significant service disruptions over a weekend. The coordinated assault, described as very severe and more sophisticated than previous attacks, originated from hijacked computers potentially located to the east, though authorities cautioned against premature attribution. A deleted tweet threatening media and government entities for spreading "false propaganda" was linked to the incident. Most affected organizations restored services following the attack, which prompted involvement from national police, international partners, and Sweden's Civil Contingencies Agency to investigate the source and coordination of the offensive.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 19, 2016, multiple Swedish media outlets, including Sydsvenskan, Dagens Nyheter, Expression, Svenska Dagbladet, Aftonbladet, Helsingborgs Dagblad, and financial publication Dagens Industri, suffered a coordinated distributed denial-of-service (DDoS) attack beginning at 19:30 local time. The attack disrupted online services, forcing several news sites offline during the incident. A deleted tweet preceding the attacks had accused media and government outlets of spreading "false propaganda," though no direct attribution was confirmed. Sweden’s Civil Contingencies Agency and police cybercrime units initiated investigations, with authorities contacting national and international partners to trace the attack sources. Anders Ahlqvist of Sweden’s Police Cybercrime Agency noted the attacks originated from hijacked computers, suggesting possible eastern origins while cautioning against premature attribution due to potential coordination from other locations.
The incident was characterized as "very severe" by the CEO of the Industry Association Newspaper Publishers in Sweden, reflecting its scale and coordination compared to prior DDoS campaigns targeting Swedish entities in 2012. Most affected media organizations restored services after sustained mitigation efforts, though ferry operator Destination Gotland also reported disruptions. Police emphasized the attackers’ heightened coordination but did not publicly identify suspects or motives beyond the initial social media threat. No additional technical specifics regarding attack vectors, duration, or data impacts were disclosed by the sources. Investigations remained ongoing at the time of reporting, with no further public updates on attribution or arrests.