After a lull, #OpSweden began trending on Twitter last week as ATP-backed cyber attacks on Sweden swelled. The latest in the list of the so-called hacktivist groups to execute cyber attacks on Sweden is the GANOSEC TEAM.
This Indonesian hacker group has claimed responsibility for targeting the website of Kristianstad University in Sweden.
A few hours before this came to light, Team R70, comprised of Yemeni hackers, posted on Telegram that they have targeted Sweden’s prominent taxi service provider Taxipriser.
This latest attack comes as part of the group’s ongoing campaign against the Scandinavian nation.
It all started on June 28 when Swedish police issued a protest permit to an individual near the main mosque in central Stockholm, where the Qur’an burning incident took place.
The permit was granted following court appeals by the individual, who had previously been denied permission to burn the Qur’an outside Iraq’s embassy in the Swedish capital, reported Bloomberg.
It was the first such event since a similar incident in January strained negotiations between Sweden and Turkey regarding the Nordic country’s NATO membership.
The previous Danish-Swedish far-right extremist’s act sparked outrage in Muslim countries and led to Turkey’s refusal to support Sweden’s NATO bid.
Pro-Russian hacker group NoName057(16), popularly known as NoName, was among the first to respond, issuing a warning about cyber attack on Sweden.
“Swedish police allowed to burn the Koran in Stockholm on the first day of Eid al-Adha, we read in the news,” said the threat group’s Telegram post on June 28.
“Considering that the Swedish authorities also help Ukrainian terrorists, we could not pass by and killed the website of the financial supervision of Sweden.”
What followed was a spike in cyber attacks on Sweden; an avalanche of DDoS attacks on Swedish websites, claimed by seemingly disrelated cybercriminal gangs, some known, some newbies.
However, unlike the results of the previous Islamophobic incident and the cyber attacks on Sweden that followed, the drama has unfolded differently this time.
Act 1: Cyber attacks on Sweden and the repercussion
NoName took down the websites of the Swedish Ministry of Finance and railway carrier SJ AB on 28 June.
In the days that followed, several known and unknown hacker groups including AnonymousSudan, 1919 Team, Islamic Hacker Army, Host Kill Crew, US NEXUS HACKER, Mysterious Team Bangladesh, KEP TEAM, UserSec collective, Team Heroxr, Electronic Tigers Unit, Team R70, GANOSEC TEAM, and Türk Hack Team executed DDoS attacks on several Swedish websites.
Almost all of them posted threat notes on June 29 about their impending cyber attack on Sweden.
Websites that faced DDoS attacks in the days that followed included the Swedish Parliament, the Swedish National Data Service (SND), Uppsala University Hospital, and several other private organizations.
While cyber attacks on Sweden peaked on one side, diplomatic pressure from Muslim-majority countries mounted on Sweden, forcing the Swedish government to condemn the Islamophobic act.
The Organization of Islamic Cooperation (OIC), based in Saudi Arabia, called for collective measures to prevent future incidents of Qur’an burnings. The OIC, comprising 57 member states, convened at its Jeddah headquarters to address the incident.
The repercussions of the Qur’an burnings have extended beyond Sweden, as several countries, including Iraq, Kuwait, the United Arab Emirates, and Morocco, have summoned Swedish ambassadors in protest.
Although Swedish police granted the permit based on free speech protections, they have initiated an investigation into potential agitation against an ethnic group, given the proximity of the burning to the mosque, reported The Guardian.
Despite attempts to ban the protest due to security concerns, an appeals court in June ruled in favor of allowing it, considering Quran burnings as religious criticism rather than incitement to hatred, AFP reported.
This nuanced response has left Swedish authorities grappling with public sentiment and the ongoing debate over freedom of speech versus religious sensitivity.
Adding fuel to fire was the targeted DDoS attacks on Swedish facilities seemingly handpicked to create maximum inconvenience for citizens.
Coincidentally, many of the hacker groups that disclosed their cyber attacks on Sweden claim to be based in several of the OIC countries. However, peel away the apparent retaliation from the Islamic world, and another geopolitical campaign comes to play.
Act 2: Swedish NATO membership and cyber attacks on Sweden
Cyber attacks on Sweden following the latest Islamophobic incident during Eid al-Adha in Stockholm raised concerns about the approval of Swedish NATO membership.
The latest incident has made obtaining parliamentary approval from Turkey and Hungary before the upcoming NATO summit significantly harder.
However, negotiations at NATO headquarters have not been cancelled. The Cyber Express analysis of the situation shows a key reason: Turkey and Hungary have recognized the effect of possible external manipulations in the situation. All fingers point to Russia.
Former Turkish ambassador to Sweden, Selim Kuneralp, suggested that Turkish President Recep Tayyip Erdoğan’s negative but restrained response to the Quran-burning incident reflects a shift in his thinking, reported DW.
According to Kuneralp, Erdogan is reconsidering his relationship with Russian President Vladimir Putin after recent challenges to Putin’s leadership.
In addition to Turkey’s block, Hungary’s ratification of Sweden’s NATO bid is pending. Hungarian Prime Minister Viktor Orban has assured Sweden’s Prime Minister Ulf Kristersson that the ratification process will not be delayed, but parliamentary decision is not expected until the fall.
Erdogan’s refusal to let the incident impact relations with Sweden may indicate his recognition of external manipulation potentially by Moscow, as evident from the previous DDoS attack campaigns.
Act 3: Islamophobia, a flashback
The previous Quran-burning incident took place on January 25, 2023, during a protest organized by controversial far-right journalist Rasmus Paludan, a dual Danish-Swedish national with a history of carrying out similar acts.
Pauldan received financial support from Chang Frick, a Russian citizen and journalist with links to the Kremlin, reported The Guardian.
According to The Guardian’s report, Paludan not only provided monetary assistance to the far-right group but also has close connections to several individuals associated with the Russian government.
As if on cue, Anonymous Sudan and a slew of cybercriminal groups jumped in with their pro-Islam rhetoric, launching cyber attacks on Sweden.
Turkey was livid, increasing the possibility that the country would veto Sweden’s NATO entry.
In response to the alarming revelations, the Swedish security service, Säpo, has launched an investigation into the matter.
In a bid to make the most of the latest event, Russian President Vladimir emphasized that such Islamophobic actions are considered criminal in Russia and stated that his country would not tolerate any form of religious disrespect.
His response was widely circulated on Twitter, amidst growing anger and warnings from Muslim nations directed towards Sweden.
Tensions between Russia and NATO have been strained in recent years, particularly following the 2014 annexation of Crimea. Moscow has explicitly expressed its displeasure on the possibility of Sweden and Finland officially joining NATO.
Apart from the possible threat of NATO gaining military might, the 1,340 km international border between Finland and Russia that runs approximately north to south is a concern for Russia.
“Sweden’s partnership with NATO was historically based on its policy of military non-alignment, which changed following Russia’s full-scale invasion of Ukraine in February 2022,” said a NATO statement on ties with Sweden.
“Since 5 July 2022, Sweden has been an official NATO Invitee, attending meetings and coordinating activities with the Allies. It will become a NATO Ally once all Allies have ratified its Accession Protocol.”
While the diplomatic tensions are being eased, cyber attacks on Sweden continue.
Epilogue: DDoS attacks and geopolitical campaigns
Nation-state cyber attackers, backed by governments, employ advanced tactics to achieve their geopolitical goals.
These highly skilled and well-funded actors utilize a range of techniques, including Distributed Denial of Service (DDoS) attacks, to disrupt, damage, manipulate, and intimidate their targets.
“An estimated 90% of Advanced Persistent Threat Groups (APTs) Groups regularly attack organizations outside of the government or critical infrastructure sectors,” said a report on nation-state attackers by Graphus AI.
“Russian nation-state actors are increasingly effective, jumping from a 21% successful compromise rate in 2020 to a 32% rate in 2021.”
In the realm of geopolitics, DDoS attacks play a crucial role in perception management and information warfare.
“Since late 2022, we have noticed a series of hacktivist campaigns against Western targets led by pro-Russian groups with names like ‘Killnet’,” ,” said the Cloudflare DDoS Trends Report.
“Based on our observations, these groups are loosely organized gangs of hackers using Telegram channels and they do not employ any sophisticated techniques or tools. More recently, we have seen groups like AnonymousSudan join these efforts.”
Selectively targeting websites, online platforms, or communication channels allows attackers to disrupt the flow of information, suppress freedom of speech, and manipulate public opinion.
By disrupting critical infrastructure or online services, attackers convey a strong message, showcasing their capabilities and potentially deterring future actions against them. These attacks serve as a warning to rival nations or organizations.
These attacks, timed during critical events like elections or protests, shape narratives, create confusion, and undermine coordination among targeted groups.
“Finland saw a triple-digit increase in DDoS attacks after announcing it would apply for NATO membership, while Taiwan and Belize experienced much greater DDoS attack volumes on the days in which public statements were made in support of Ukraine,” Netscout reported in December 2022.
DDoS attacks enable cyber attackers to cause significant disruption and damage to targeted systems or networks.
By overwhelming resources with a massive volume of malicious traffic, the attackers render the system unavailable to legitimate users. This disruption impacts critical services, hinders communications, and inflicts financial and reputational losses on the targeted entities.
DDoS attacks serve as effective smokescreens, diverting attention and resources while facilitating other covert cyber operations, said a Netscout report.
By overwhelming target defenses, the attackers create chaos, making it harder for defenders to detect and respond to simultaneous attacks or infiltration attempts. This diversion allows attackers to gain an advantage in their information warfare campaigns.
DDoS attacks provide valuable insights for nation-states to assess their own defenses and those of their adversaries.
Conducting controlled DDoS attacks allows them to test target entities’ response capabilities, identify vulnerabilities, and gather intelligence on defensive measures and mitigation techniques employed by their adversaries.
This information empowers attackers to refine their strategies and strengthen their offensive capabilities.