Cyber Incident Victim: SJ AB

On or around June 27, 2023, the pro-Russian hacktivist group known as NoName057(16) initiated a campaign targeting the Ukrainian financial sector. The group announced its intentions on its encrypted Telegram channel, stating, "We will start today's journey with an attack on the financial sector of Ukraine." This campaign involved a series of distributed denial-of-service (DDoS) attacks aimed at disrupting Ukraine’s online banking internet infrastructure. The attacks were relentless, with nearly a dozen major Ukrainian banks being hit daily over a four-day period starting from the group's initial declaration. The primary targets included some of the nation's largest commercial banks: First Ukrainian International Bank (PUMB), State Savings Bank of Ukraine (Oshchadbank), Credit Agricole Bank, and Universal Bank. Additional Ukrainian financial institutions claimed as victims by the group during this campaign included Ukrsibbank, Tascombank, MTB Bank, Pravex Bank, Piraeus Bank, Credit Dnepr Bank, and the Clearing House.

The group's stated motivation for this campaign was linked to a recent announcement by Ukrainian politicians regarding a potential move toward a cashless society. NoName quoted a statement from Rostyslav Shurma, the Deputy Head of the Office of the President of Ukraine, who suggested that banning cash payments could help overcome corruption. The group used this announcement as a justification for its attacks, mockingly stating on Telegram that they were helping the "Bandera junta" to reject their banking internet infrastructure. The term "Bandera junta" is a pejorative used by Russians to describe Ukrainians who support sovereignty from the Kremlin, referencing a historical far-right group. The attackers claimed to have successfully knocked several bank websites completely offline and specifically targeted critical banking services, including authorization services, login portals, customer service systems, and loan processing services.

On June 28, 2023, the group's activities expanded beyond Ukraine. NoName momentarily switched its focus to target Sweden in an apparent gesture of solidarity with another hacktivist group, Anonymous Sudan. This shift was prompted by a second event involving the burning of a Quran by protesters in Stockholm, which occurred on the first day of Eid al-Adha. NoName cited Swedish police allowing this act and noted that Swedish authorities also help "Ukrainian terrorists" as reasons for the attack. The group claimed responsibility for DDoS attacks on two Swedish targets: the website of the national railway carrier, SJ AB, and the website of the Swedish Financial Supervisory Authority, Finansinspektionen (FI). This marked a notable departure for NoName, as it was the first time a Russian-affiliated group had linked Islamic affairs to its motivational doctrine, aligning itself with the stated cause of Anonymous Sudan. Security analysts generally believe Anonymous Sudan is either operated by Russian sympathizers or backed by the Russian government, which provides context for this unexpected collaboration.

The incident involving SJ AB was part of this broader, opportunistic attack against Swedish infrastructure. The attack employed the group's signature DDoS method, which functions by overwhelming a website with a flood of traffic requests, thereby causing it to become unavailable to legitimate users. The primary impact reported was the disruption of the railway carrier's public-facing website, potentially affecting customer access to information and services. NoName publicly claimed success in these attacks, stating they had "killed" the websites. The specific technical details of the attack vector, the duration of the outage for SJ AB's website, or the exact time of day it occurred were not disclosed in the available reporting. Similarly, the internal detection mechanisms, immediate response actions taken by SJ AB's IT team, or any containment procedures implemented were not detailed in the source material. The consequences were limited to the claimed disruption of web services, with no mention of data breach, data exfiltration, or any compromise of internal railway operational systems.

This incident against SJ AB and the Swedish financial authority was a minor component within a much larger and ongoing campaign by NoName. The group first emerged around the time of the Russian invasion of Ukraine and has since primarily focused on NATO member nations allied with Ukraine. In the weeks preceding the SJ AB incident, the group had targeted critical infrastructure in Poland, Denmark, and Lithuania. It had also attacked the French parliament and launched nearly a dozen attacks on Switzerland’s financial and aviation sectors within the same month. Earlier in June, the group had claimed attacks on some of the largest European ports in Italy, Germany, Spain, and Bulgaria. The group's operational model involves recruiting volunteer hackers by advertising cryptocurrency payouts in exchange for participation in its DDoS attacks. This model was previously used effectively in January 2023 when the group disrupted at least half a dozen websites belonging to Czech presidential election candidates just days before the elections were scheduled to begin, causing significant chaos. The attack on SJ AB is consistent with this pattern of widespread, disruptive DDoS operations aimed at causing service interruptions and generating propaganda value through public claims of success.