Updated 23.00 | Published 22.43
unsaveSave
120 Swedish authorities have been affected by the IT attack against Tietoevry.
Behind the attack are about ten people in Russia who want to make money.
– They are not controlled by the Russian security service, but they provide services and re-services, says cyber threat expert Mattias Wåhlén.
Salary payments, leaked patient data, cinema visits, a security giant.
The major IT attack against Tietoevry has affected Swedish society in several ways.
The hacker group Akira is behind the attack, reported SvD on the Monday. The group has a blog on the darknet and has been very active in the Nordics in recent times.
– Akira is a group of cybercriminals who deal with ransomware. They probably arose in part from another larger crime syndicate, Conti, which was disbanded in 2020, says Mattias Wåhlén, cyber threat expert at Truesec and who previously worked in Swedish intelligence for 35 years.
A so-called ransomware attack against the IT supplier Tietoevry has created problems for Filmstaden, among others.
1 / 4Photo: Anders Wiklund / TT
“Watching between the fingers”
The innermost core of the group probably consists of people living in Russia.
According to Mattias Wåhlén, there are around 10-20 people who organize the attack and develop the software. Then a number of freelancers join, ranging from 20 up to 50 people, who do the actual hacking.
The fact that hacker groups usually operate from Russia has its explanation, according to Wåhlén.
– Russian police and security services watch this crime through their fingers, as long as it does not affect Russia. That’s how it has been for a long time.
As Russia’s relationship with the West has deteriorated, not least after the war against Ukraine, the country is even less inclined to stop the criminals.
– They bring in money for Russia from the West, so it suits the government quite well.
“Can violate interesting information”
At the same time, there are certain contacts between the Russian state and the hacker groups. Often it is about services and re-services.
– You tolerate each other, you have interests. If it’s the case that a group accesses data from a company, finds some sensitive blueprint that they think the Russian state might be interested in, then you can dump it on them.
expand-left
full screen Mattias Wåhlén, cybersecurity expert at Truesec. Photo: Magnus Hjalmarson Neideman / TT
Mattias Wåhlén says that hacker groups like Akira have a clear goal: money.
– These criminals are not patriots. They are motivated by money. Those who deal with ddos attacks that knock out websites, they have more political motives.
– In some cases, there are groups that have been dealing with ransomware that have started hacking authorities in Ukraine and stealing data. But that doesn’t apply to Akira.
So this is not a way for Russia to “step up” against Sweden?
– I wouldn’t rule it out, but I haven’t seen anything to indicate that in this case. It looks more like a major ransomware attack of the kind that happens from time to time.
expand-left
fullscreen Russian President Vladimir Putin is not believed to be in control of the hacker group that attacked Sweden. Photo: Pavel Bednyakov / TT
Collapsed economy brings more hackers
And we can count on this weekend’s IT attack not being the last.
– If you look at statistics since 2019, the number of ransomware attacks has steadily increased. But the number of successful attacks has leveled off. This hopefully means that more companies have started to take cyber security seriously.
According to Mattias Wåhlen, the number of actors and groups that deal with ransomware is increasing.
– Probably it is connected to the collapsing Russian economy. There are fewer IT-savvy people in Russia who can make a living legally.
More are prepared
Is Sweden prepared for an increased number of IT attacks?
– More and more are prepared, but not all. The criminals are opportunists, you start with the companies that have the worst protection, says Wåhlen.
expand-left
full screen In Region Blekinge, the cybercriminals may have come across sensitive patient data. Photo: Johan Nilsson/TT
Among those affected by the attack is the Statens service center, which handles salary payments for 60,000 government employees.
In Region Blekinge, personal data about patients has been leaked, and Region Västerbotten has gone into staff mode after being hacked. A number of companies such as Filmstaden, Rusta, Granngården, Systembolaget and Stadium have also been affected.
MSB, the Norwegian Agency for Community Protection and Preparedness, told TT earlier today that they see this weekend’s event as a warning bell.
According to unit manager Margareta Palmqvist, Sweden has digitized quickly, but not as much time and resources have been invested in cyber security.
When Aftonbladet reaches MSB at 19:00 on Monday, they have no expert available to answer questions.