Cybercrime
,
Fraud Management & Cybercrime
,
Ransomware
Finnish IT Services Previews Days or Weeks of Disruption, Ties Attack to Akira
A ransomware attack that hit a data center run by Finnish IT software and services firm Tietoevry has led to widespread outages across Sweden. Healthcare, local and national government services, retail outlets and the country’s largest cinema chain are among the organizations experiencing ongoing disruptions.
See Also: OnDemand | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding
Publicly traded Tietoevry, based in Espoo, Finland, said the attack began late Friday night or early on Saturday, hitting one of its Swedish data centers and resulting in outages for multiple Swedish customers.
The company, which last reported annual revenue of $3.3 billion, has 24,000 employees and counts customers in over 90 countries.
Tietoevry first alerted Swedish customers to the attack on Saturday, saying it quickly isolated the infrastructure that the attacker accessed, thus containing the incident. The company apologized for the resulting outrages, and said it had deployed teams working around the clock to remediate the attack and bring systems back online.
“Currently, Tietoevry cannot say how long the restoration process as a whole will take – considering the nature of the incident and the number of customer-specific systems to be restored, the total timespan may extend over several days, even weeks,” the company said in a Monday update. “We are focused on resolving this as soon as technically possible, in close collaboration with the customers in question.”
“We sincerely apologize for the problems this malicious attack is causing for our customers and everyone that is impacted by this,” Venke Bordal, head of market in Sweden for Tietoevry Tech Services, said in a statement. “We have allocated all necessary resources to address this with full attention.”
Multiple Swedish organizations announced IT outages as a result of the ransomware attack, which also disrupted Tietoevry’s managed HR and payroll system, called Primula. The service is used by about three dozen government authorities, as well as numerous universities and colleges. Karolinska Institutet, Linnaeus University, Lund University of Technology, Swedish University of Agricultural Sciences and University West are among the institutions reporting payroll system or other outages as a result.
Officials in Uppsala County, located on the east-central coast of Sweden, launched crisis management plans following the region’s patient medical record system going offline, as well as some financial systems becoming unavailable, warning that the situation could deteriorate unless systems get restored quickly.
“There is no immediate risk to patients due to the IT disruption, but we are forced to use backup routines and manual handling in healthcare to a lesser extent. This means that administrative procedures can take a little longer than they usually do,” said Mikael Köhler, director of health and medical care in the Uppsala region, said in a statement on Sunday, according to a machine translation.
Köhler said officials are working to notify private healthcare providers in Uppsala about the outages as quickly as possible.
The municipalities of Bjuvs and Vellinge reported payroll system outages, with the latter saying library systems are also offline.
The outage has also affected Sweden’s national government service center, Statens. The organization said government salaries will still get paid for this month, because it already processed payroll data and routed payments to banks before the attack occurred.
On Monday, publicly traded air treatment and climate solution vendor Munters released its fourth quarter and full year 2023 results early. While the company planned to release the information on Feb. 1, due to the ransomware attack on Tietoevry, executives said they couldn’t ensure that the financial data “has remained confidential.” The company also said that its “financial consolidation system and a limited part of our business systems are affected by the ransomware attack.”
As a result of the outages, Sweden’s largest cinema chain, Filmstaden, said its movie theaters remain open, but tickets cannot currently be purchased in advance via its website or app. Agriculture and garden supplier GranngÃ¥rden, which is one of Sweden’s largest retailers, closed its more than 100 retail outlets as a result of the attack. “We hope the problem is resolved shortly,” the company told customers on Saturday, according to a machine translation.
Discount home and leisure product retailer Rusta, which has been able to keep its stores open, but said its website remains offline. Scandinavian industrial group Moelven, which is one of Scandinavia’s biggest wood processing companies, also reported disruptions.
The Tietoevry data center hit in the ransomware attack supports the company’s enterprise hosting of managed cloud services, including for Amazon Web Services, Microsoft Azure and Google Cloud Platform, Bleeping Computer reported.
Tietoevry Says Akira Behind Attack
Tietoevry on Monday said the Akira ransomware group is behind the attack.
The criminal group hasn’t listed Tietoevry on its data leak site – at least yet. Ransomware groups such as Akira that run data-leak sites list a subset of their victims who declined to pay a ransom, although typically only after the victim rebuffs multiple attempts by the attacker to get them to pay.
Akira, which launched in March 2023, has recently been tied to a spate of successful attacks against Finnish organizations. The National Cyber Security Center Finland said seven out of the eight attacks reported to it last month tied to Akira-wielding attackers who exploited Cisco Adaptive Security Appliance and Firepower Threat Defense devices.
In all of those cases, CERT-FI said the devices hadn’t yet been updated with a patch issued in September 2023 to fix a known security flaw. In addition, the devices weren’t being protected with multifactor authentication, which the security flaw couldn’t bypass.
Tietoevry declined to comment on Akira’s attack vector or any ransom demand it might have received.