Cybercrime , Fraud Management & Cybercrime , Ransomware

Ransomware Hit on Tietoevry Causes IT Outages Across Sweden

Finnish IT Services Previews Days or Weeks of Disruption, Ties Attack to Akira
Ransomware Hit on Tietoevry Causes IT Outages Across Sweden
Tietoevry's headquarters in Espoo, Finland (Image: Tietoevry)

A ransomware attack that hit a data center run by Finnish IT software and services firm Tietoevry has led to widespread outages across Sweden. Healthcare, local and national government services, retail outlets and the country's largest cinema chain are among the organizations experiencing ongoing disruptions.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Publicly traded Tietoevry, based in Espoo, Finland, said the attack began late Friday night or early on Saturday, hitting one of its Swedish data centers and resulting in outages for multiple Swedish customers.

The company, which last reported annual revenue of $3.3 billion, has 24,000 employees and counts customers in over 90 countries.

Tietoevry first alerted Swedish customers to the attack on Saturday, saying it had quickly isolated the infrastructure that the attacker accessed, thus containing the incident. The company apologized for the resulting outages and said it had deployed teams working around the clock to remediate the attack and bring systems back online.

"Currently, Tietoevry cannot say how long the restoration process as a whole will take - considering the nature of the incident and the number of customer-specific systems to be restored, the total timespan may extend over several days, even weeks," the company said in a Monday update. "We are focused on resolving this as soon as technically possible, in close collaboration with the customers in question."

"We sincerely apologize for the problems this malicious attack is causing for our customers and everyone that is impacted by this," Venke Bordal, head of market in Sweden for Tietoevry Tech Services, said in a statement. "We have allocated all necessary resources to address this with full attention."

Multiple Swedish organizations announced IT outages as a result of the ransomware attack, which also disrupted Tietoevry's managed HR and payroll system, called Primula. The service is used by about three dozen government authorities, as well as numerous universities and colleges. Karolinska Institutet, Linnaeus University, Lund University of Technology, Swedish University of Agricultural Sciences and University West are among the institutions reporting payroll system or other outages as a result.

Officials in Uppsala County, located on the east-central coast of Sweden, launched crisis management plans after the region's patient medical record system went offline and some financial systems became unavailable, warning that the situation could deteriorate unless the systems are restored quickly.

"There is no immediate risk to patients due to the IT disruption, but we are forced to use backup routines and manual handling in healthcare to a lesser extent. This means that administrative procedures can take a little longer than they usually do," said Mikael Köhler, director of health and medical care in the Uppsala region, said in a statement on Sunday, according to a machine translation.

Köhler said officials are working to notify private healthcare providers in Uppsala about the outages as quickly as possible.

The municipalities of Bjuvs and Vellinge reported payroll system outages, and Vellinge said library systems are also offline.

The outage has also affected Sweden's national government service center, Statens. The organization said government salaries will still be paid for this month, because it has already processed payroll data and routed payments to banks before the attack occurred.

On Monday, publicly traded air treatment and climate solution vendor Munters released its fourth quarter and full year 2023 results early. While the company planned to release the information on Feb. 1, due to the ransomware attack on Tietoevry, executives said they couldn't ensure that the financial data "has remained confidential." The company also said that its "financial consolidation system and a limited part of our business systems are affected by the ransomware attack."

As a result of the outages, Sweden's largest cinema chain, Filmstaden, said its movie theaters remain open, but tickets cannot currently be purchased in advance via its website or app. Agriculture and garden supplier Granngården, which is one of Sweden's largest retailers, closed its more than 100 retail outlets as a result of the attack. "We hope the problem is resolved shortly," the company told customers on Saturday, according to a machine translation.

Discount home and leisure product retailer Rusta has been able to keep its stores open but said its website remains offline. Scandinavian industrial group Moelven, which is one of Scandinavia's biggest wood processing companies, also reported disruptions.

The Tietoevry data center hit in the ransomware attack supports the company's enterprise hosting of managed cloud services, including for Amazon Web Services, Microsoft Azure and Google Cloud Platform, Bleeping Computer reported.

Tietoevry Says Akira Is Behind Attack

Tietoevry on Monday said the Akira ransomware group is behind the attack.

The criminal group hasn't listed Tietoevry on its data leak site - at least yet. Ransomware groups such as Akira that run data leak sites list a subset of their victims who declined to pay a ransom, although typically only after the victim rebuffs multiple attempts by the attacker to get them to pay.

Akira, which launched in March 2023, has recently been tied to a spate of successful attacks against Finnish organizations. The National Cyber Security Center Finland said 7 in 8 attacks reported to it last month had been tied to Akira-wielding attackers who exploited Cisco Adaptive Security Appliance and Firepower Threat Defense devices.

In all of those cases, CERT-FI said, the devices hadn't yet been updated with a patch issued in September 2023 to fix a known security flaw. In addition, the devices weren't being protected with multifactor authentication, which the security flaw couldn't bypass.

Tietoevry declined to comment on Akira's attack vector or any ransom demand it might have received.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.