Akira ransomware attack on Tietoevry disrupted the services of many Swedish organizations

Pierluigi Paganini January 24, 2024

A ransomware attack against the Finnish IT services provider Tietoevry disrupted the services of some Swedish government agencies and shops.

The online services of multiple Swedish government agencies, universities, and commercial activities were disrupted by an Akira ransomware attack that hit the Finnish IT services and enterprise cloud hosting Tietoevry.

Tietoevry is a Finnish multinational information technology (IT) and consulting company that provides managed services and cloud hosting for the enterprise.

The company said that the ransomware attack took place on Friday night and impacted only one data center in Sweden. The company immediately launched an investigation into the incident and is working to restore its services. Tietoevry notified law enforcement and impacted customers. Impacted customers include Sweden’s largest cinema chain Filmstaden (the attack disrupted its online ticket system) and the discount retail chain Rusta.

“The attack was limited to one part of one of our Swedish datacenters, impacting Tietoevry’s services to some of our customers in Sweden. Tietoevry immediately isolated the affected platform, and the ransomware attack has not affected other parts of the company’s infrastructure. Tietoevry has taken highest level of action to investigate, mitigate and resolve the situation.” reads a press release published by the company. “A large team of experts are working on several tracks in parallel around the clock on this. We have notified the directly affected customers and are in dialogue with them for updates on the situation.”

BleepingComputer first reported that the security breach was the result of an Akira ransomware attack.

The company later confirmed the news of an Akira ransomware attack.

“The malicious attack based on Akira ransomware on one of our datacenters in Sweden took place during the night of January 19-20. Tietoevry takes the situation very seriously and has an extensive team of experts and technicians working around the clock to minimize the impact and restore services.” reads an update published by the services provider.

The attack impacted the company’s managed Payroll and HR system named Primula, which is used by Sweden government agencies, including the centralized human resources system used by Sweden’s national government service center (Statens Servicecenter).

At present, Tietoevry cannot provide a definite timeframe for the complete restoration process due to the complexity of the security breach. The overall duration may span several days, possibly weeks.

“Currently, Tietoevry cannot say how long the restoration process as a whole will take – considering the nature of the incident and the number of customer-specific systems to be restored, the total timespan may extend over several days, even weeks. We are focused on resolving this as soon as technically possible, in close collaboration with the customers in question.” concludes the update.

The company did not disclose details about the attack, it is unclear if threat actors also stolen data from its systems.

In January 2024, the Finish National Cybersecurity Center (NCSC-FI) reported an increase in Akira ransomware attacks, targeting organizations in the country. Threat actors are wiping NAS and backup devices.

Akira ransomware infections were first reported in Finland in June 2023, however, in December the number of attacks increased. According to the NCSC-FI, six out of seven infections were caused by Akira family malware.

The ransomware attack reported in late 2023, targeted organizations’ networks using poorly secured VPN gateway on Cisco ASA or FTD devices. The attackers exploited the vulnerability CVE-2023-20269 in Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD). An unauthenticated, remote attacker can exploit the vulnerability to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user.

The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Akira ransomware attack)

you might also like

leave a comment