Nordics move to deepen cyber security cooperation

National police forces across the Nordic states have identified deeper inter-agency collaboration as key to dealing with the sharp rise in cyber attacks against critical public and private IT infrastructure.

The latest spate of attacks, including the prolonged distributed denial of service (DDoS) strikes against banks, have heightened Nordic concerns over the resilience of government departments and companies to withstand the growing sophistication and aggression of attacks.

Alarm has been stirred by the recent cluster of DDoS strikes against banks, and in particular the sustained series of cyber attacks directed at Nordea. It has motivated financial sector groups to pursue changes to labour practices that would preclude IT professionals from taking part in strike actions should their cyber security expertise be needed to counter real-time threats targeting their employers’ IT networks.

Nordic countries must work more diligently to strengthen their cross-border cooperation to combat cyber threats and linked digital online fraud, said Paul Lønseth, director at Økokrim, Norway’s central agency for the investigation and prosecution of economic crime.  

“The number and scale of reported digital online fraud in the Nordic countries is very high and rising. Because we are battling fraudsters using new and more advanced technology, there’s an urgent need for joint and coordinated efforts to meet this threat. Digital fraud is a global, not a national problem. The Nordic countries are adjacent and relatively similar. We have agreed to address our vulnerabilities together,” said Lønseth.

Preliminary investigations conducted by Nordea and its external IT cyber security partners suggest that bad actors may have hijacked internet-connected household appliances, such as smart refrigerators and washing machines, to create bot networks in the DDoS server-overload attacks launched against the bank.  

The Nordic region, as a “community of neighbouring states”, needs to develop common network security solutions that offer enhanced protection to shield IT networks against data capture from the cyber sphere, said Frank Vang-Jensen, Nordea’s CEO.

“We need to see a united Nordic defence front against cyber threats. We are in dialogue with national authorities across the region. The primary focus is how we can best collaborate to fight cyber crime together,” said Vang-Jensen.

A joint Nordic fraud risk report released in September documented 260,000 separate cases of digital fraud reported to police agencies. Collated by national police forces, the Nordic threat assessment on online fraud (2024) report estimated the monetary value of digital fraud across the Nordic states, based on reported data, at close to €1bn in 2023.

The DDoS attacks against Nordea in September and October were “powerful, relentless and unprecedented”, said Sara Mella, Nordea’s head of personal banking.

“Our IT security network defences had to deal with attacks that were generating up to 15 million service requests per second. The duration and scope of the attacks suggests the perpetrators had access to considerable resources. The prolongation of the attacks was completely different to what we had experienced before,” said Mella.

Nordea, which is the largest of the Nordic banks, recorded 20 DDoS attacks during the first half of 2024. This number was dwarfed by the 360 separate attacks against the bank’s Nordic-wide online websites and IT networks during an intense four-week period that commenced on 13 September and had abated by 17 October.

Nordic IP addresses were leveraged in the serial attacks, indicating that the cyber perpetrators managed to hijack household appliances to create a bot network, with home owners unaware their internet-connected devices were being used to conduct serious cyber crimes, said Mella.  

“It’s likely that the hackers used internet-connected smart kitchen appliances like washing machines and refrigerators to create botnets and launch server overload attacks against Nordea. We managed to stop 90% of the attacks. Our interpretation is that the cyber attackers singled out Nordea and used the bank as a tool to target critical societal infrastructure,” said Mella.

The unremitting flooding of Nordea’s servers with large amounts of traffic caused serious disruptions to the bank’s websites and online customer platforms, rendering services inaccessible at the point of log-in, said Nordea’s chief security officer, Marc Hofmann.

“We have strong defences that are continuously being strengthened to deal with threats as the bad actors get more sophisticated. Although improved defence apparatus helps reduce the impact from the attacks, the downside can be slower delivery or unavailable services for customers which is unfortunate,” Hofmann added.

The elevated threat posed by cyber attacks to Nordic banks has prompted a robust response from Finanssiala, the central organisation for banks and insurance houses in Finland. Finanssiala is looking to impose limits on the right to strike in instances where IT professionals are needed by their employers to defend against real-time cyber threats, such as DDoS and data capture.  

It plans to submit its “limited right to strike” proposal to unions during the upcoming collective bargaining talks with financial sector employer organisations. Finanssiala wants unions to agree to a “crisis exception” as part of a new labour agreement. If accepted by unions, the adoption of a “crisis exception” would mean bank IT technical staff would work through official strike actions in the event of cyber security emergencies and attacks.

Finland’s Ministry of Employment and the Economy (MEE) is currently preparing a bill to deal with so-called protective work. The MEE intends to present a Protective Work Bill to the Eduskunta, Finland’s parliament, by 22 December. The bill will specify what types of work tasks, deemed critical to national security, could be excluded from right to strike practices under the country’s existing labour laws.

“Our aim is to ensure that so-called critical functions are excluded from the legal right to conduct industrial action. It is important that financial services providers can rely on having their IT experts in place when faced with cyber attacks. Having the guarantee that IT personnel remain to investigate and resolve cyber-led attacks does not exist under current labour laws. We need a change in the law,” said Arno Ahosniemi, Finanssiala’s CEO.

Cyber attacks against Finnish and Nordic banking groups may represent a darker form of hybrid warfare by Russia to destabilise political and economic stability in the Nordic and Baltic Sea regions, said Ahosniemi.

Banks in Finland and Sweden have been increasingly targeted by hackers since Russia’s invasion of Ukraine in February 2022. The frequency of DDoS attacks against banks intensified after Finland joined the North Atlantic Treaty Organisation (Nato) in May 2022. Sweden joined Nato in March 2024.

The National Bureau of Investigation (Keskusrikospoliisi), the Finnish law enforcement agency tasked with investigating cyber attacks and related crimes, has been quick to dispel reports directly linking the recent wave of cyber attacks against Nordea and other Nordic organisations to Russia.

“Investigations of this nature generally involve cooperation with various authorities in Finland and abroad. Our inquiries are ongoing. We are not in a position to make determinations on potential suspects at this time,” said Markus Saario, a lead Keskusrikospoliisi investigator.