With much of Sweden’s air traffic crippled on 4 Nov. 2015,
authorities in the Scandinavian country notified NATO of a serious,
ongoing cyber attack by a hacker group linked to Russian intelligence.
Officially, the Swedish Civil Aviation Administration blamed a solar storm for knocking out air traffic control systems in much of Sweden on 4 November.
Urgent warning
But sources tell aldrimer.no that Swedish authorities at the same time sent urgent messages to NATO saying Sweden, which is not a member of the alliance, was under a serious cyber attack. Two separate warnings are thought to have been issued, then relayed to several NATO allies, including Norway and Denmark. The information provided by Sweden indicated that the Swedes believed the cyber attack was led by a so-called APT group (Advanced Persistent Threat) which previously has been linked to the Russian military intelligence service GRU.
“The message was passed on to NATO either by Sweden’s National Defence Radio Establishment (Försvarets radioanstalt, FRA) or the Swedish Military Intelligence and Security Service (Militära underrättelse- och säkerhetstjänsten, MUST),” a senior NATO source said on the condition of anonymity.
Declined comment
FRA, MUST and NATO all declined comment when contacted by aldrimer.no.
“We cooperate with a number of countries and organizations, but we don’t comment in the news media about the information we share,” Swedish Armed Forces press officer Philip Simon said by email to aldrimer.no.
FRA spokesman Fredrik Wallin simply said, “We cannot comment on this type of information.” When asked if such attacks are a growing problem, he responded, “Yes, you could say that.”
“We have checked with our experts and we cannot substantiate the information in your query,” said NATO spokesman Matthias Eichenlaub by email.
Swedish power company
In the first notification Swedish authorities are believed to have sent NATO, the state-owned power company Vattenfall was identified as one of several possible targets. One of Europe’s largest energy producers, Vattenfall owns and operates several nuclear power plants in Sweden and Germany.
Read more: Vattenfall possible cyber target
Blank screens
The Swedish Civil Aviation Administration’s computer problems on 4 November made it impossible for air traffic controllers to see the aircraft on their screens. Air traffic to and from the Arlanda, Landvetter and Bromma airports in Sweden was affected, and many domestic and international flights were cancelled.
At 5:11 p.m. on 4 November, the Swedish Civil Aviation Administration (known as LFV in Sweden) posted the following on its website:
“This afternoon, aircraft flying over Sweden were affected by a solar storm phenomena. This can cause disruptions of the earth’s magnetic field. As a result there were disruptions to LFV radar facilities in Sweden, since solar storms can degrade air traffic controllers’ ability to direct traffic in the air.”
Continuing investigation
After the incident, the LFV said it would launch an investigation of the incident, with results expected within four months. However, more than five months after the event, no official conclusions had been released by the agency.
“Our investigation is not finished but is well into the final stage. The only reason for the delay is that it took longer to collect and analyse data than we first thought,” wrote LFV’s press officer Per Fröberg in an email.
The agency has so far not responded to aldrimer.no’s request for comment on reports that a cyber attack may have been the real cause of the air traffic control computer problems.
Moderate solar storm warning
There were indeed warnings of an impending solar storm in the period around the air traffic control collapse.
Aldrimer.no checked with the Space Weather Prediction Center in Boulder, Colorado, USA and found that a warning had been issued for 2-3 November, with solar activity on 4 November expected to be moderate and declining.
A post on the centre’s website, updated on 4 November 2015, said that “the G3 (Strong) geomagnetic storm watch issued for 02 November has been extended to include 03 November. A G2 (Moderate) watch has been issued for 04 November.”
Radar stations
In a statement posted by Sweden’s LFV on 6 November 2015, the aviation administration claimed that the solar storm also had a negative impact on radar stations in Norway and Estonia.
“In retrospect, we have been able to determine that the effect was strongest in southern Sweden. We also note that different types of radar stations were affected in different ways. Wednesday’s radar interference was the third in 16 years. In 1999 and 2003 there was a similar type of disturbance without the same impact on air traffic,” the statement said.
Electronic warfare
At the time Sweden is believed to have issued a cyber attack warning, NATO reportedly detected Russia electronic warfare activity in the Baltic Sea region. Sources tell aldrimer.no that the activity included jamming of air traffic communication channels. The signals were reportedly traced to a large and fairly new radio tower located in the Russian enclave of Kaliningrad, south of Lithuania.
When aldrimer.no contacted national Computer Emergency Response Team (CERT) centres in Norway, Denmark, Finland, Estonia, Latvia and Lithuania about the possible cyber attack, they all declined to comment. Some centres failed to respond to queries, while others replied that they would not comment on specific cases as a matter of principle.
aldrimer
Officially, the Swedish Civil Aviation Administration blamed a solar storm for knocking out air traffic control systems in much of Sweden on 4 November.
Urgent warning
But sources tell aldrimer.no that Swedish authorities at the same time sent urgent messages to NATO saying Sweden, which is not a member of the alliance, was under a serious cyber attack. Two separate warnings are thought to have been issued, then relayed to several NATO allies, including Norway and Denmark. The information provided by Sweden indicated that the Swedes believed the cyber attack was led by a so-called APT group (Advanced Persistent Threat) which previously has been linked to the Russian military intelligence service GRU.
“The message was passed on to NATO either by Sweden’s National Defence Radio Establishment (Försvarets radioanstalt, FRA) or the Swedish Military Intelligence and Security Service (Militära underrättelse- och säkerhetstjänsten, MUST),” a senior NATO source said on the condition of anonymity.
Declined comment
FRA, MUST and NATO all declined comment when contacted by aldrimer.no.
“We cooperate with a number of countries and organizations, but we don’t comment in the news media about the information we share,” Swedish Armed Forces press officer Philip Simon said by email to aldrimer.no.
FRA spokesman Fredrik Wallin simply said, “We cannot comment on this type of information.” When asked if such attacks are a growing problem, he responded, “Yes, you could say that.”
“We have checked with our experts and we cannot substantiate the information in your query,” said NATO spokesman Matthias Eichenlaub by email.
Swedish power company
In the first notification Swedish authorities are believed to have sent NATO, the state-owned power company Vattenfall was identified as one of several possible targets. One of Europe’s largest energy producers, Vattenfall owns and operates several nuclear power plants in Sweden and Germany.
Read more: Vattenfall possible cyber target
Blank screens
The Swedish Civil Aviation Administration’s computer problems on 4 November made it impossible for air traffic controllers to see the aircraft on their screens. Air traffic to and from the Arlanda, Landvetter and Bromma airports in Sweden was affected, and many domestic and international flights were cancelled.
At 5:11 p.m. on 4 November, the Swedish Civil Aviation Administration (known as LFV in Sweden) posted the following on its website:
“This afternoon, aircraft flying over Sweden were affected by a solar storm phenomena. This can cause disruptions of the earth’s magnetic field. As a result there were disruptions to LFV radar facilities in Sweden, since solar storms can degrade air traffic controllers’ ability to direct traffic in the air.”
Continuing investigation
After the incident, the LFV said it would launch an investigation of the incident, with results expected within four months. However, more than five months after the event, no official conclusions had been released by the agency.
“Our investigation is not finished but is well into the final stage. The only reason for the delay is that it took longer to collect and analyse data than we first thought,” wrote LFV’s press officer Per Fröberg in an email.
The agency has so far not responded to aldrimer.no’s request for comment on reports that a cyber attack may have been the real cause of the air traffic control computer problems.
Moderate solar storm warning
There were indeed warnings of an impending solar storm in the period around the air traffic control collapse.
Aldrimer.no checked with the Space Weather Prediction Center in Boulder, Colorado, USA and found that a warning had been issued for 2-3 November, with solar activity on 4 November expected to be moderate and declining.
A post on the centre’s website, updated on 4 November 2015, said that “the G3 (Strong) geomagnetic storm watch issued for 02 November has been extended to include 03 November. A G2 (Moderate) watch has been issued for 04 November.”
Radar stations
In a statement posted by Sweden’s LFV on 6 November 2015, the aviation administration claimed that the solar storm also had a negative impact on radar stations in Norway and Estonia.
“In retrospect, we have been able to determine that the effect was strongest in southern Sweden. We also note that different types of radar stations were affected in different ways. Wednesday’s radar interference was the third in 16 years. In 1999 and 2003 there was a similar type of disturbance without the same impact on air traffic,” the statement said.
Electronic warfare
At the time Sweden is believed to have issued a cyber attack warning, NATO reportedly detected Russia electronic warfare activity in the Baltic Sea region. Sources tell aldrimer.no that the activity included jamming of air traffic communication channels. The signals were reportedly traced to a large and fairly new radio tower located in the Russian enclave of Kaliningrad, south of Lithuania.
When aldrimer.no contacted national Computer Emergency Response Team (CERT) centres in Norway, Denmark, Finland, Estonia, Latvia and Lithuania about the possible cyber attack, they all declined to comment. Some centres failed to respond to queries, while others replied that they would not comment on specific cases as a matter of principle.
aldrimer