Analysis of the hacker attack on Svenska Kraftnät

Like many major cyberattacks that have shaken the world in the past, the global community was confronted with yet another incident on Saturday, October 25, 2025 — this time targeting Svenska kraftnät. Svenska kraftnät is the authority responsible for ensuring that Sweden's transmission system for electricity is safe, environmentally sound and cost-effective - today and in the future.

At the time of writing, not much is known about the exact data content stolen by the cyber group. Of course, like some threat actors, the demand for ransom payment seems to be the order of the day.

It is important to recognise that these types of threats are unlikely to disappear, and the world can expect to face even more as sophisticated AI tools continue to emerge. While human error remains the weakest link in developing robust security infrastructures, many SCADA systems (Supervisory Control and Data Acquisition) operate on outdated or unsupported software and firmware, creating recurring opportunities for threat actors to exploit vulnerabilities.

What really Happened

Svenska kraftnät has publicly reported a data breach in which a hacker group claims to have exfiltrated approximately 280 GB of data. The attacker posted a countdown on the darknet and threatened to publish the stolen data by Saturday evening - 25th October, 2025 - unless demands are met. Svenska kraftnät says it currently has no indication that electricity transmission operations are affected, is working with other authorities and has filed a police report. MSB / CERT-SE are monitoring and supporting as needed.

Link: https://www.svt.se/nyheter/inrikes/svenska-kraftnat-utreder-hackerattack

Severity of the breach

The breach represents a major national-risk and an information security event of high magnitude. It is an extortion-style data-exfiltration incident against a critical national infrastructure operator.

Since the breach has already taken place, it would be nice to look at how Grit Scales AB has analysed the situation and to start with a through hands-on/technical explanation of: “What should have been in place” that might have prevented the breach or what could prevent subsequent breaches.

What could have been done to prevent the breach

Identity & Access Management (IAM)

• Least privilege enforced by Attribute Based Access Control which helps to enforce separation of duties for admins vs. operators.

• Multi-Factor Authentication (MFA): This should be in place for all administrative and remote access accounts (prefer hardware-backed FIDO2 keys).

• Privileged Access Management: Just-in-time (JIT) elevation, session recording, and automatic credential rotation for privileged accounts.

• No long-lived service credentials in scripts: All secrets in a managed secret store (vault, KMS).

Governance & policy

• Enterprise data classification policy should be mandatory: This means that every dataset and document should be classified (Public / Internal / Confidential / Secret) at creation/store time. Classification drives protection level and detection thresholds.

• There should be formal third-party risk program: This means there should be security baseline requirements for suppliers or contractors, there should be periodic security attestation and trainings, contractual Right-to-Audit and technical constraints for any file exchange or remote access.

• Incident response & tabletop cadence: There should be regular rehearsals/trainings involving IT, OT, legal, PR and national authorities. There should also be established playbooks and a 24/7 Incidence Response roster/plan.

Data Protection

• Mandatory data encryption at rest and in transit for all sensitive assets: Hardware Security Modules can be used for key management and rotate keys regularly.

• Data Loss Prevention should be deployed on endpoints, email and network egress points - this can be relied upon to stop bulk exfiltration of classified file types (patterns, regexes, ML fingerprinting).

• There should be secure file-transfer controls: Any third-party file exchange must be initiated from inside a hardened bastion, ephemeral credentials should be used and be subject to Data Loss Prevention and logging.

Network & Architecture

• Zero Trust Architecture: Every request should be verified regardless of network location. Strong micro-segmentation should exist between IT and OT. A good suggestion would also be to block direct internet access from OT networks.

• Use jump hosts & bastion hosts for remote vendor access: When you allow remote vendors (external software suppliers, maintenance contractors, or third-party support teams) to access your internal systems, you’re introducing a high-risk entry point into your network. Instead of giving them direct access to production systems, you can funnel all external connections through a controlled, monitored gateway - called a jump host or bastion host. Also use explicit allowlists.

• Egress filtering: Ensure strict firewall rules that allow only approved destinations/ports: Ensure also to restrict unknown uploads.

Detection & Monitoring

• Ensure defense focuses on what programs do, not only what they look like. Every computer (endpoint) should have EDR or XDR security tools that detect suspicious behavioural patterns, not just known malware signatures.

• Have a centralised logging of endpoint, network, cloud and application logs and have automated playbooks for alerts like unusual large outbound transfers.

• Ensure network traffic analysis and Transport Layer Security inspection at egress (subject to lawful/privacy constraints) for anomaly detection and exfiltration signatures.

• Logging retention appropriate for forensic investigations (90+ days depending on regulation).

Backup & Recovery

• Have immutable, air-gapped backups with tested restore procedures. Ensure backups are resistant to modification and exfiltration. Also have regular recovery drills.

Supplier & Remote access controls

• Ensure vendor remote sessions are recorded and audited and some vendor access is time-limited.

• Schedule periodic third-party pen testing and red-team, targeting the same attack surfaces an adversary would exploit (file transfer, vendor portals).

Human & Organisational controls

• Have phishing-resistant MFA training and monitor employee participation. Always schedule continuous simulated phishing and secure handling of high-risk data.

• Crisis comms training for executives and pre-approved communication templates.

• Drills - Ensure proper training of all employees and improve organisational culture such that everyone knows how to act when an attack happens.

What should be prioritised now

• Understand the type of data that has been breached. For example are these videos, documents, payslips, config files etc. Understanding the type of data will further inform how this should be handled as well as treated.

• Maintain and expand cooperation with other authorities and the police.

• Quickly contain and preserve forensic evidence - rotate credentials and revoke suspected compromised keys.

• Increase strategies for Data Loss Prevention & egress filtering. This stops confidential data - like personal data, source code or financial records - from leaving your organisations network, cloud or devices unintentionally or maliciously. Also, block known malicious destinations.

• Rebuild or clean affected hosts from trusted images. Replace compromised service accounts.

• Begin a prioritised remediation plan with measurable milestones.

• Prepare GDPR notifications if personal data breach risk is confirmed. This is very important.

• Engage an external Incidence Response partner and darknet-monitoring vendor.

In conclusion, cybersecurity  is not just about tools - it’s about culture, governance and resilience at scale. Paying a ransom should never be the way to go. Operationally, the response to the incident illustrates the difference between reactive and proactive security. While Svenska kraftnät’s coordination with CERT-SE and MSB was appropriate after detection, a proactive posture - built on continuous monitoring, regular threat modeling and red-teaming exercises - would have identified potential vulnerabilities earlier. This means future strategy should emphasize cyber resilience over cyber resistance: accepting that breaches may occur but building systems that recover quickly and securely is of utmost importance.

At Grit Scales AB, we will continue to monitor the details of the investigation and are available incase our expert cybersecurity consultants are needed. For us, cybersecurity is more than protection - it’s precision. Our expert cybersecurity consultants help organisations safeguard digital assets, manage threats and build resilience in an ever-evolving digital landscape. Contact us, let’s learn about your business and help your organisation take proactive measures against cyber-attacks.

Email: info@gritscales.com