Russian Hackers Targeted Swedish News Sites In 2016, State Department Cable Says

According to a newly released State Department cable, the attack was part of a Russian campaign to sow disinformation about NATO. It came as Russia allegedly was stealing Democrats' emails.

At the same time that Russian military intelligence operatives allegedly penetrated Hillary Clinton’s presidential campaign in 2016, suspected Russian hackers were also targeting at least nine Swedish news sites in an apparent attempt to dissuade Sweden from cooperating with NATO, a partially released State Department cable reveals.

The cable, which was obtained through a Freedom of Information Act lawsuit by BuzzFeed News and Ryan Shapiro, a PhD candidate at the Massachusetts Institute of Technology and the cofounder of the transparency project Property of the People, was intended for internal use only. Sent Oct. 19, 2016, primarily to US ambassadors in Europe, it detailed US intelligence suspicions about Russian meddling in US the presidential election.

It also warned that Russia was engaged in a widespread campaign to destabilize NATO alliances that included not only a disinformation campaign but the crippling cyberattacks against Swedish news organizations, which knocked several of the country’s largest news organizations offline.

The cable is the first confirmation that Russia was suspected in the March 2016 attacks in Sweden, which came as the Swedish government was debating whether to approve a cooperation treaty with NATO. Sweden is not a member of NATO, but has grown closer to the organization in recent years in light of what Swedish officials called Russia’s willingness to use force in Georgia and Ukraine. News outlets reported at the time that some Swedish officials were pushing to join NATO outright, a sentiment that was echoed fearfully by a Russian think tank. The agreement was approved in May 2016.

“Russia has focused significant resources on specific Partners, like Sweden and Finland,” the cable notes in a section marked SBU — sensitive but unclassified. “Russian actors are suspected of being behind recent efforts to infiltrate Sweden with distorted and false information about NATO in the Swedish press, at think tank events, and on social media.”

It adds, “Russia is also suspected of carrying out cyberattacks against Swedish media outlets in March 2016.”

The cable, portions of which were redacted because the information remains classified, is notable for using plain language to attribute the cyberattack’s likely perpetrator, something that the US government only does publicly with enormous care and as part of an intra-agency announcement, and never on an attack in which the US itself isn’t the victim.

Asked for comment, a State Department spokesperson told BuzzFeed News that “the cable speaks for itself.”

The cable came 12 days after the US government’s first public proclamation that Russia was interfering in the 2016 presidential election. Media coverage of that Oct. 7 joint statement was largely subsumed, however, by accounts of the infamous Access Hollywood tape that caught Donald Trump bragging about groping women and WikiLeaks’ publication of Hillary Clinton campaign manager John Podesta’s emails.

The attacks on Swedish media didn’t attract significant US attention, but they constituted a major event in Sweden. The attacks weren’t sophisticated — they were merely a Distributed Denial of Service (DDoS), which overloads a network with too much traffic, keeping it from being able to load — but they were powerful enough to keep readers from accessing at least nine of the country’s biggest news sites.

The timing of those attacks, which began March 19 and continued against at least some sites for five days, also is notable, in light of the indictment last month of 12 Russian military operatives by special counsel Robert Mueller. March 19 was also the day, according to the indictment, that a Russian intelligence officer named Aleksey Lukashev sent a spear-phishing email to Podesta. Two days later, according to the indictment, Lukashev and others downloaded the contents of Podesta’s email account.

The Swedish government has never publicly blamed Russia for the media attacks, according to representatives for Polisen, the country’s national police; Sakerhetspolisen, a national security agency; and the country’s Foreign Ministry. At the time, police said that many of the IP addresses used in the DDoS were Russian, which is far from proof of a DDoS perpetrator’s identity, and that they were considering a full range of culprits, from a hostile nation-state to an angry teenager.

Thomas Mattsson, the editor-in-chief of Expressen, Sweden’s second-largest paper and one of the victims, met with a number of government officials and politicians at the time over the attacks.

“Everyone was suspecting this would have something to do with Russia, of course,” Mattsson told BuzzFeed News. “But it has not been declared in Sweden as fact.”

Since then, many of the papers have hired cybersecurity firms to help thwart similar attacks. But there’s little hope of fully deterring dedicated government hackers.

“If other nations could affect the US election, if hackers can break into the Pentagon, then it will obviously be difficult for newspapers, and regional newspapers in particular, to protect themselves,” Mattsson said.

Skip to footer