Everest Ransomware Hits Swedish Power Grid Operator, Steals 280GB of Data

Everest Ransomware Group Claims Data Breach at Swedish Power Grid Operator Svenska kraftnät

HIGH
October 28, 2025
5m read
CyberattackData BreachIndustrial Control Systems

Impact Scope

Affected Companies

Svenska kraftnät

Industries Affected

EnergyCritical Infrastructure

Geographic Impact

Sweden (national)

Related Entities

Threat Actors

Everest

Organizations

Swedish Police

Other

Svenska kraftnät

MITRE ATT&CK Techniques

T1567Exfiltration

Exfiltration Over Web Service

T1190Initial Access

Exploit Public-Facing Application

T1657Impact

Financial Theft

Full Report

Executive Summary

Svenska kraftnät, the state-owned operator of Sweden's national power grid, confirmed it was the victim of a cyberattack after the Everest ransomware group claimed responsibility for a data breach. The threat actor alleged on its dark web leak site that it had exfiltrated 280 gigabytes of data and threatened to publish it. While the incident represents a serious attack on a critical infrastructure entity, Svenska kraftnät has emphasized that the breach was limited to an isolated, external file transfer solution. The operator has assured the public that its core operational technology (OT) systems and the country's electricity supply remain secure and unaffected.

Threat Overview

The incident came to public attention over the weekend of October 25-26, 2025, when the Russia-linked Everest ransomware group posted its claim. The group's primary tactic in this case appears to be data theft for extortion, rather than encryption for disruption. Svenska kraftnät discovered the breach on October 26 after being notified by an external security researcher. The company promptly launched an investigation, reported the incident to Swedish police, and is collaborating with national cybersecurity authorities.

The Everest group, active since at least December 2020, has a history of targeting high-profile organizations. In recent campaigns, the group has shifted its strategy from traditional double extortion (encryption + data leak) to focusing primarily on data exfiltration and subsequent extortion, effectively operating as a data-theft-focused cybercrime group.

Technical Analysis

Details on the specific attack vector used to compromise the external file transfer system have not been disclosed. However, the incident highlights the risks associated with third-party and external-facing systems that handle sensitive organizational data. Attackers often target these less-defended peripheral systems as an entry point. The Everest group's TTPs in this case likely involved:

Impact Assessment

While Svenska kraftnät successfully prevented the attack from impacting its OT environment and the power grid, the incident is not without consequences:

  • Data Exposure: The nature of the 280 GB of stolen data is currently unknown. If it contains sensitive project information, employee PII, or partner data, it could lead to significant regulatory, financial, and reputational damage.
  • Reconnaissance Value: Even if non-critical, the stolen data could provide valuable intelligence for future, more sophisticated attacks against Svenska kraftnät or its partners.
  • Supply Chain Risk: The compromise of a file transfer system could have implications for third parties who interact with the Swedish TSO.
  • Erosion of Trust: An attack on a national critical infrastructure operator can erode public trust, even if core services were not disrupted.

IOCs

No specific Indicators of Compromise (IOCs) were provided in the source articles.

Cyber Observables for Detection

Type Value Description
network_traffic_pattern Unusually large data egress Monitor external-facing file transfer solutions for outbound data volumes that are significantly larger than the established baseline.
log_source File transfer application logs Analyze logs for anomalous access patterns, such as logins from unusual geolocations or access to an abnormally high number of files.
user_account_pattern Service account activity from external IPs Monitor for any activity from service accounts associated with the file transfer solution originating from outside the corporate network.

Detection & Response

  1. Monitor External Systems: Pay close attention to the security posture and activity logs of all internet-facing applications, especially those handling file transfers or third-party data exchange.
  2. Data Exfiltration Alerts: Implement network monitoring and DLP solutions to alert on large, anomalous outbound data transfers. A 280 GB transfer should trigger multiple high-severity alerts.
  3. Threat Intelligence: Subscribe to threat intelligence feeds that monitor dark web leak sites. Early notification of a claim can provide a critical head start in incident response, as was the case for Svenska kraftnät.
  4. D3FEND Techniques:

Mitigation

  1. Network Segmentation: The successful containment of this attack underscores the importance of robust network segmentation. Ensure that external-facing IT systems are completely isolated from the OT network and other critical internal systems.
  2. Secure Third-Party Solutions: Thoroughly vet the security of any external or third-party software before deployment. Ensure these systems are kept fully patched and are configured according to security best practices.
  3. Principle of Least Privilege: Ensure that accounts used by external systems have the absolute minimum permissions necessary to perform their function.
  4. Incident Response Plan: Have a well-defined and tested incident response plan that includes communication strategies for engaging with law enforcement, regulators, and the public.
  5. D3FEND Countermeasures:

Timeline of Events

1
October 26, 2025
Svenska kraftnät discovers the breach after being notified by an external security expert about the Everest group's claim.
2
October 28, 2025
This article was published

MITRE ATT&CK Mitigations

Network Segmentation

M1030ics

The successful containment of this attack demonstrates the critical value of separating IT and OT networks. This prevented the breach from impacting core grid operations.

Mapped D3FEND Techniques:

D3-NI

Filter Network Traffic

M1037enterprise

Implement egress filtering and monitoring to detect and block large, anomalous data transfers from the network.

Mapped D3FEND Techniques:

D3-OTF

Audit

M1047enterprise

Maintain and regularly review audit logs for all external-facing systems to detect unusual access patterns or data access.

Mapped D3FEND Techniques:

D3-SFA

D3FEND Defensive Countermeasures

Network Isolation

D3-NIMaps to MITREM1030
D3FEND

This incident is a textbook case for the effectiveness of Network Isolation. Svenska kraftnät successfully prevented a catastrophic failure by ensuring their external file transfer system (an IT asset) was properly segmented and isolated from their core electricity grid control systems (OT assets). All critical infrastructure operators must adopt this model. Implement a robust Purdue Model or similar zoning architecture using firewalls and unidirectional gateways to create a strong DMZ between IT and OT. There should be no direct communication paths from the IT network to the OT network. All data exchange must be brokered through secure, hardened systems in the DMZ. This countermeasure proved to be the single most important factor in limiting the impact of this attack.

User Data Transfer Analysis

D3-UDTAMaps to MITREM1040
D3FEND

To detect the data exfiltration phase of an attack like the one by Everest, organizations should deploy User Data Transfer Analysis. This involves using a combination of Data Loss Prevention (DLP) tools, network flow analysis (NetFlow/sFlow), and SIEM correlation. Establish a baseline of normal data transfer volumes for external-facing systems like file servers. An exfiltration of 280 GB of data is a massive anomaly that should trigger high-severity alerts. Configure rules to flag any single session or cumulative transfers over a short period that exceed a defined threshold (e.g., >1 GB). Correlate this with user account information and geolocation data to quickly identify suspicious activity, enabling security teams to intervene and potentially stop the exfiltration before it completes.

Sources & References

Sweden’s power grid operator confirms data breach claimed by ransomware gang
The Record (therecord.media) October 27, 2025
Hackers Target Swedish Power Grid Operator
SecurityWeek (securityweek.com) October 28, 2025
Swedish power grid operator confirms it was hit by hacker attack
Cybernews (cybernews.com) October 28, 2025
Sweden power grid confirms cyberattack, ransomware suspected
TechRadar Pro (techradar.com) October 28, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

EverestRansomwareData BreachSwedenCritical InfrastructureICSEnergy Sector

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next