Cyber Incident Victim: Dagens Nyheter
Date:
Mar 2016
Location:
Sweden
Summary
A large-scale DDoS attack disrupted multiple Swedish media outlets, including Dagens Nyheter, causing significant service outages over a weekend. The incident, linked to hijacked computers potentially originating from eastern regions, prompted involvement from national police and security agencies, who collaborated with international partners to trace the sources. A deleted tweet accusing the targeted outlets of spreading "false propaganda" preceded the attack, suggesting a retaliatory motive. Several organizations restored services during the campaign, though authorities characterized the attack as highly coordinated and more sophisticated than previous incidents. The disruption also affected a ferry operator, broadening the impact beyond media entities. Investigators cautioned against premature attribution while pursuing leads across jurisdictions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 19, 2016, a large-scale distributed denial-of-service (DDoS) attack disrupted multiple Swedish media outlets, beginning at 19:30 local time. Primary targets included newspaper Dagens Nyheter (DN), alongside Expression, Svenska Dagbladet, Aftonbladet, Sydsvenskan, Helsingborgs Dagblad, and financial publication Dagens Industri. The attack rendered these news sites inaccessible, described as "very severe" by the CEO of the Industry Association Newspaper Publishers in Sweden. A deleted tweet had previously threatened media and government entities for "spreading false propaganda," though no direct attribution was confirmed. Ferry operator Destination Gotland also experienced disruptions, indicating broader collateral impact. Most affected organizations restored services after sustained mitigation efforts, though the attack's scale and coordination exceeded prior incidents like the 2012 DDoS campaigns against Swedish government and private entities.
Sweden's Police Cybercrime Agency, led by Anders Ahlqvist, initiated a formal response involving domestic and international partners to trace the attack sources. Initial technical analysis indicated compromised computers were leveraged in the assault, with Ahlqvist suggesting a geographical origin "to the east"—implicitly referencing Russia—while cautioning DN against premature attribution due to potential obfuscation tactics. The Civil Contingencies Agency collaborated in the investigation, reflecting the incident's national security implications. Ahlqvist emphasized the attackers' heightened coordination compared to earlier Swedish cyber incidents, though no specific threat actor or motive was conclusively identified. The incident underscored systemic vulnerabilities in media infrastructure, prompting operational reviews among targeted organizations without immediate public disclosures of technical countermeasures or long-term resilience strategies.