Datacarry Ransomware Hits Swedish IT Provider Miljödata, Leaking Data of 1.5 Million People and Disrupting Municipal Services

Executive Summary

A significant supply chain attack has struck Sweden, with the IT systems supplier Miljödata falling victim to the Datacarry ransomware group. The breach has exposed the personal data of up to 1.5 million individuals, many of whom are public sector employees. The attackers targeted Miljödata's 'Adato' HR system, which is used by approximately 80% of Sweden's municipalities. After exfiltrating a 224MB archive of sensitive data, including government IDs and contact information, the Datacarry group published the data on the dark web following failed ransom negotiations. The incident has caused widespread disruption to government services and has impacted major corporate clients of Miljödata, including SAS, Volvo North America, and Lund University. The Swedish Authority for Privacy Protection is investigating the massive breach for GDPR compliance failures.

Threat Overview

The attack, attributed to the Datacarry ransomware group, is a classic example of a double-extortion supply chain attack. Instead of targeting each municipality individually, the threat actor compromised a single, central software provider, Miljödata, to gain access to a vast trove of data. The group is known to be financially motivated and opportunistic, using a ransomware variant believed to be based on the leaked Conti builder. Their primary TTPs involve data exfiltration followed by encryption, with the threat of public data release used as leverage for payment.

The initial access vector in past campaigns by this group has been the exploitation of vulnerabilities in Fortinet EMS servers. While not confirmed for this specific incident, it represents a plausible entry point. The attack has had a direct impact on the continuity of public services and the privacy of millions of Swedish citizens.

Technical Analysis

• Threat Actor: Datacarry is a relatively new ransomware group, active since at least June 2024. They operate a Ransomware-as-a-Service (RaaS) model and are known for targeting medium-sized businesses in Europe.
• Malware: The ransomware used is reportedly built from the leaked source code of the notorious Conti ransomware. This means it likely possesses robust encryption capabilities and features for network propagation.
• Attack Chain:
  1. Initial Access: Likely via exploiting a public-facing vulnerability, such as the previously used CVE-2023-48788 in Fortinet EMS servers. (T1190 - Exploit Public-Facing Application).
  2. Discovery: Once inside the network, the actors would perform reconnaissance to identify high-value systems, such as the 'Adato' HR database. (T1082 - System Information Discovery).
  3. Data Exfiltration: The attackers exfiltrated a 224MB archive of sensitive data. (T1567.002 - Exfiltration to Cloud Storage).
  4. Impact: The final stage involved deploying the ransomware to encrypt systems (T1486 - Data Encrypted for Impact) and posting the stolen data on their dark web leak site.

Impact Assessment

The breach of Miljödata has had a cascading effect across Sweden:

• Citizen Impact: Up to 1.5 million individuals have had their personal and sensitive information exposed, including names, addresses, phone numbers, and government IDs. This places them at high risk of identity theft, phishing, and other fraud.
• Government Disruption: Multiple municipalities (Halland, Gotland, Skellefteå, etc.) experienced disruptions to essential services, particularly in HR and administration, due to the unavailability of the 'Adato' system.
• Corporate Impact: Major clients like Scandinavian airline SAS, metals company Boliden, Volvo North America, and Lund University have confirmed their employee data was compromised, leading to internal security incidents and potential legal liabilities.
• Regulatory Scrutiny: Miljödata faces a major investigation by the Swedish Authority for Privacy Protection (IMY), with the potential for massive fines under GDPR for failing to protect personal data.

Cyber Observables for Detection

Organizations can hunt for Datacarry activity using the following observables:

Detection & Response

1. Supply Chain Monitoring: Organizations must identify and monitor critical IT suppliers like Miljödata. Implement third-party risk management programs to assess the security posture of vendors with access to sensitive data. This aligns with D3FEND's D3-JFAPA: Job Function Access Pattern Analysis to understand external party interactions.
2. Backup Integrity Checks: Regularly test and validate the integrity and restorability of offline and immutable backups. This is a crucial step in ransomware response.
3. Endpoint Detection and Response (EDR): Deploy EDR solutions to detect ransomware behaviors, such as rapid file encryption, deletion of shadow copies, and attempts to disable security tools. This is a direct application of D3FEND's D3-PA: Process Analysis.

Mitigation

1. Patch Management: Aggressively patch all internet-facing systems, especially security appliances like Fortinet EMS, to prevent initial access. This is a fundamental application of D3FEND's D3-SU: Software Update.
2. Network Segmentation: Segment networks to prevent a breach in one area (like a supplier connection) from spreading to critical internal systems. Isolate sensitive databases from the general network. This is covered by D3FEND's D3-NI: Network Isolation.
3. Multi-Factor Authentication (MFA): Enforce MFA on all remote access points, administrative accounts, and critical applications to make it harder for attackers to move laterally even if they gain an initial foothold. This is a direct implementation of D3FEND's D3-MFA: Multi-factor Authentication.
4. Data Minimization and Encryption: Only store personal data that is absolutely necessary and ensure that data at rest is encrypted. This limits the impact of a data exfiltration event.