A dozen high-profile Swedish companies have had backdoor malware installed in their IT environments in an extensive hack attack described as one of the largest in the country's history.
The attack is believed to have lasted since March this year, and had gone undetected. The victims allegedly received a malicious code connection with an update. After that, the hackers selected authorities and companies they found extra interesting and built so-called 'backdoors' into them to be able to steal data and monitor their e-mails, national broadcaster SVT reported.
The Swedish Civil Contingencies Agency (MSB) called the attack “very serious” and urged Swedish companies that have used Solarwinds' Orion platform, the same one that was used by the US authorities that were targeted in the same attack, to act “immediately” and remove the malicious code.
“In theory, the hackers have been able to gain access to classified information, if there was such data in the IT environments they entered,” MSB cybersecurity expert Peter Jonegård told SVT.
One of the affected companies was the Swedish Space Company (SSC), which handles extremely sensitive satellite data. Esrange, one of the world's largest ground stations near the city of Kiruna, receives and stores data from satellites in space. According to the Swedish Defence Research Agency (FOI) the satellite images can be used to observe nuclear missiles or naval bases.
So far, it hasn't been possible to see whether data has been stolen, according to SSC head of strategic security Stefan Gustafsson.
“This is a very advanced attack. It is unlike anything we have seen before and we hope that our measures and the strong cooperation that exists between our expert authorities and other actors around the world will give a sufficient result, so that this does not have to have a negative impact,” Gustafsson told SVT.
While some of the accusations from the press have currently been directed at the Russian hacker group APT29, some cyber security experts warned that the attack may in fact be a deliberate imitation.
“There are certain things that have similarities with them. But what has happened recently in the area of cyber security, what is usually called 'false flagging' is that these groups use each other's methods and each other's products and systems,” cyber security expert Jonas Lejon explained.
Russia has sternly rejected any role in the cyberattack. Addressing similar accusations from the US, Kremlin spokesperson Dmitry Peskov commented on the matter on Monday, calling any accusations of Russia's involvement “absolutely unfounded” and “a continuation of the kind of blind Russophobia that is resorted to following any incident”.