Joerg Habermeier - stock.adobe.c

Finland’s security agencies collaborate after cyber attacks

National Bureau of Investigations and National Cyber Security Centre aim to increase expertise and capability to defend Finland’s critical IT infrastructure

Finland’s National Bureau of Investigations (NBI) has joined forces with the National Cyber Security Centre (NCSC) to investigate a series of significant cyber attacks against state-run public services websites in the country in August.

The most serious targeted attacks left the national police service and other public websites inaccessible to users.

The NBI and the NCSC now plan to work more closely with public and private organisations to increase expertise and capability to better defend Finland’s critical IT infrastructure against cyber attacks.

Hackers launched a sustained denial-of-service (DoS) assault on a number of popular public websites on 21 August that caused serious disruption to server functionality, connectivity and public services.

The DoS strike was latest hostile cyber assault by hackers targeting high-profile public services websites in Finland. Previously, hackers had launched attacks against the City of Lahti’s municipal computer system and the IT system managing the official online results for the Finnish parliamentary elections in April.

The latest attack targeted the public service websites operated by Finnish police organisation Poliisi, the central tax administration bureau, Vero, the Finnish population register centre, the government’s online information portal, Suomi.fi, the social insurance institution Kela and the website of the Finnish Border Guard.

“This was a significant disruptive event,” said Juha Tretjakov, an IT security adviser at the ministry of transport and communications. “The first signs of disturbance were noticed late in the day on 21 August. For the most part, the organisations attacked were all able to restore a normal service the following day. There were some lingering problems with Kela’s e-services log-in, but outstanding issues were quickly resolved.”

The NBI is investigating a possible link between the DoS attack and the visit by Russian president Vladimir Putin to Helsinki on the same day. Putin had travelled to the capital for bilateral talks with his Finnish counterpart, Sauli Niinistö.

Finland’s national security authorities have observed a visible increase in DoS and other malicious cyber activity during the second and third quarters of 2019. On 11 June, hackers launched a cyber strike against the City of Lahti, triggering widespread disruption to public services in Finland’s sixth-largest city.

The malware-led attack on Lahti compromised more than 1,000 workstations across the city’s IT network. The malware was initially discovered on a single machine, which was immediately isolated and disconnected from the network to limit the threat of a wider virus infections. The city’s ICT services department immediately ran system-wide anti-virus software checks to prevent further contamination.

Read more about cyber security in Finland

The NBI, whose investigations are continuing, has described the cyber attack and data breach in Lahti as an “organised, rather than random” event. It said about 1,000 workstations were compromised, but not fully penetrated in the attack. The investigation has not yet identified the origin of the attack.

“Although we cannot comment on the precise method of attack for operational reasons, we can state that we are dealing with a deliberate attack against the IT system as a whole, rather than a single workstation in the City of Lahti’s computer network,” said Marko Leponen, investigation case officer at the NBI cyber crime centre.

Motivating IT security departments to report cyber threat events and intrusions in real time has emerged as a high priority in the NBI-NCSC’s elevated collaboration with private and public organisations in Finland.

“Early notification of cyber attacks helps our ability to investigate these events more effectively,” said Leponen. “It is important that organisations engage with us at the earliest time, as this action will enable national cyber security agencies to limit damage and ensure accelerated progress in our investigations and the gathering of evidence.”

The malware attack on Lahti also endangered IT networks connecting the city’s IT system to municipal IT networks in the southern Finland region of Päijät-Häme, in which Lahti is the largest population centre.

As a precaution, Lahti disconnected Päijät-Häme from the affected loop once the malware threat had been identified. The interconnectivity between Lahti and Päijät-Häme was reinforced in 2017 when health and social care services came under the Päijät-Häme Joint Authority for Healthcare.

The attacks in August and June were preceded in April by an audacious DoS cyber strike against the Finnish government’s official online election results service. The attack was launched after the parliamentary elections and had no impact on the counting of votes. Also, the online election results service uses a different platform from Finland’s vote casting or counting system.

The NBI is investigating the DoS attack as aggravated interference with a government communications system, said Leponen.

“Cyber security agencies and authorities are well prepared for cyber attacks and crimes such as this that are linked to elections,” he said. “Attacks against public services in general are relatively common. Services that are high profile and have a strong media and public focus make particularly appealing targets for hackers.”

‘Short and low-volume attack’

The Ministry of Justice (MoJ), which oversees Finland’s online election results service, carried on the vaalit.fi platform, has described the DoS event as a “short and low-volume attack” that resulted in intermittent disruptions to normal service. The online data resource is mainly used by Finland’s urban, provincial and broadcast media as part of their election analysis.

The DoS event in April was notified in real time by the MoJ’s ICT security unit to both the NBI and the NCSC. The NCSC’s cyber ​​security centre is tasked with actively monitoring cyber security threats and alerting public and private organisations to new and predicted risks.

Finland, which holds the rotating presidency of the European Union (EU) until the end of this year, plans to push for stronger measures to tackle the growing range and sophistication of hybrid threats that put all EU member states at risk.  

“We are proposing to hold a number of practical exercises during Finland’s presidency of the EU,” said Pekka Haavisto, Finland’s foreign minister. “This will involve running threat simulation programmes in cooperation with the finance and interior ministers and relevant ministries in the various EU countries.”

The threat simulation programmes envisaged by Finland would include the full range of malicious hybrid threats that are routinely faced by EU countries. The programme will cover cyber data theft, attacks against critical IT systems and joint strategies to deal with the spread of disinformation, or fake news, over social media networks.   

Haavisto added: “The EU and member countries need to bolster their capacities to prevent and respond to cyber security threats. This is needed now more than ever. Military and civilian authorities can only be expected to deliver in times of crisis what they have been trained to do. More collaboration is fundamental to combating existing and future threats.”

Read more on Data breach incident management and recovery