Swedish state-owned power grid operator **Svenska kraftnät** confirmed on Monday that it had fallen victim to a cyberattack resulting in a **data breach**. The company discovered the incident on Saturday, identifying the point of compromise as an isolated, external file transfer solution. Public utility Chief Information Security Officer Cem Göcören was quick to reassure the public, confirming that the country’s electricity supply and the core power grid remain completely unaffected by the security lapse.
The data breach disclosure quickly followed the **Everest ransomware group** adding Svenska kraftnät to its dark web leak site, which essentially confirms the group’s responsibility for the attack. Everest claims to have successfully exfiltrated a massive $\approx 280$ gigabytes of data from the power grid operator. The group is now threatening to leak this stolen information online unless the public utility agrees to its extortion demands, although the exact nature of the exfiltrated data has yet to be clarified.
Since discovering the intrusion, Svenska kraftnät has been working intensely to understand the full scope and impact of the attack. The CISO, Cem Göcören, stressed that no critical systems were impacted beyond the initial external solution. Given the sensitive nature of the event and the ongoing internal investigation, the company has reported the incident to relevant authorities but currently will not share additional details regarding the breach or the specific threat actor responsible.
Svenska kraftnät plays a vital role in Sweden’s infrastructure, owning and managing $\approx 17,500$ km of power lines across the country. Established in 1992 and headquartered near Stockholm, the utility also holds a significant stake in the pan-European power exchange, Nord Pool. This makes the company a high-profile and critically important target for cybercriminals seeking to disrupt essential services or engage in large-scale data extortion.
The **Everest ransomware group** has been active since December 2020, initially engaging in traditional double extortion tactics but more recently focusing on sophisticated data exfiltration and pure extortion schemes. The group has rapidly established itself as a credible threat actor, evidenced by its recent high-profile claim of responsibility for the Collins Aerospace hack that reportedly disrupted major European airports.
Reference:
