The expert on IT attacks on municipalities: “Risk-free”

Kalix municipality is still working feverishly to restore IT operations after a major ransomware attack. Now the security expert Robert Malmgren warns that more municipalities and authorities may be affected: “A business model that works a little too well for criminals”.

In mid-December, Kalix municipality was subjected to an extensive hacker attack that paralyzed large parts of the municipal operations.

The attackers placed a ransomware that encrypted files on computers and servers in the municipality’s network, and demanded a ransom to unlock the files. But the municipality refused to pay.

Critical systems running

Since then, extensive and painstaking work has been underway to restore the IT systems in the municipality. Today, just over two weeks after the attackers broke into the municipality’s servers, they have managed to get most of the critical systems up and running, which applies above all to the social administration.

– What we have focused on are functions that concern, among other things, home care, care and nursing. The main system has been running since lunchtime on Tuesday, others are being put into operation right now, says Kenneth Björnfot, chief of staff in Kalix municipality.

Rebuilding – from scratch

About 30 people, including security consultants, have worked tirelessly for several weeks to solve the municipality’s IT problems. Exactly when IT operations are expected to be up again can not be said, but the intensive restoration work is expected to continue, says Kenneth Björnfot.

– We have had to rebuild everything from scratch on the server side, and strengthen the protection there. We also continue to look at the client side to check if the staff’s computers have been infected with malicious software.

Municipalities attractive goals

2021 has been a dark year when it comes to IT attacks. Several notable attacks have been carried out – one of the largest and most notable was the attack on Coop’s IT supplier Kaseya.

Municipalities and authorities have become particularly attractive targets for hackers. A survey carried out by P4 Örebro shows that just over one in three municipalities in Sweden has been affected by IT attacks – at the same time, only half of the incidents are reported to the police.

Robert Malmgren runs the company Romab, and has 20 years of professional experience in cybersecurity. Photo: Lars “Mårre” Mårelius.

– Sweden has a high level of digitization. At the same time, municipalities and authorities have rarely put security first when building their IT environment. In addition, many IT systems are often interconnected by the municipalities. This means that the attackers can strike hard and wide if they manage to get into the municipalities’ servers, says the experienced security expert Robert Malmgren to Ny Teknik.

– And if systems related to healthcare, transport and other critical activities are affected, the tendency to want to pay to get back encrypted data, for example, increases, he continues.

Is there a risk that more IT attacks targeting municipalities await?

– I think we will see an increase. It is a business model that works a little too well for the criminals. From the attacker’s perspective, the attacks are risk-free and easy to carry out compared to classic crime such as burglary and robbery.

“Must be more on my toes”

In Kalix, the municipality has now introduced a comprehensive suite of IT security measures in the wake of the ransomware attack, says Chief of Staff Kenneth Björnfot.

This involves everything from new firewalls and strengthened login functions, to fresh antivirus software on the client and server side as well as improved monitoring of traffic on the municipality’s network.

– We planned to start an extensive training in IT security at the beginning of next year, but the attack came in between. Now we must be more on our toes in the future. It is about both increasing the security awareness of the staff, and at the same time get a better monitoring of the IT systems, among other things with the help of tools that automatically alert if an attacker tries to execute code on one of our servers.

Will you be able to fully restore all systems, or do you fear that data or metadata is lost?

– We estimate that all systems will be able to be restored to the situation they had on 15 December. 85 servers out of 100 are now ready for a final verification before they become available for the operations. However, it takes longer than normal as we have activated so many new security functions, says Kenneth Björnfot.

The expert’s tip: This is how you protect yourself against IT attacks

# Be sure to take backup very seriously. Nowadays, many people save their backup files online, on disk or in the cloud, but if someone encrypts their servers, it is impossible to access the copies there. Instead, focus on installing a solution that protects your copies in a way that prevents even system administrators from modifying the files.

# Build an IT environment where possible separate different parts of the IT operation with the help of efficient firewalls. Make sure you have strict control over the data sent between the servers.

# Make sure to harden the Windows environment, so that several of the attackers’ standard tricks do not work. There are plenty of security settings in Active Directory and Windows to better lock the Windows environment so that attackers can not carry out attacks or info thefts. Connect these locks to alarms, so unusual behavior and intrusion attempts can be detected in time.

Invest in active monitoring of the IT environment. Many attacks are preceded by someone stepping in to map the system to find vulnerabilities or deploy encryption software. But it often takes time to encrypt large amounts of files, which gives you time to act if you have a chance to detect the attack in advance.

Source: Robert Malmgren

Source: Nyteknik – Senaste nytt by

*The article has been translated based on the content of Nyteknik – Senaste nytt by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!