ebuildersecurity.com/
March 13, 2026
/
By: Dalia Nasser
A threat actor calling itself ByteToBreach claims to have leaked the complete source code of Sweden’s e-government platform, after allegedly compromising CGI Sverige AB’s infrastructure. The leak includes the full source code for critical government services, API documentation, signing systems and embedded credentials that could enable further attacks across Sweden’s digital government ecosystem.
ByteToBreach published the leaked materials on 12 March across multiple open web forums and file-sharing platforms, according to Threat Landscape and Dark Web Informer. CGI Sverige AB is the Swedish subsidiary of CGI Group, a global IT services firm that manages critical digital infrastructure for the Swedish government. The actor has made the source code available for free while selling citizen databases and electronic signing documents separately.
The Leak Exposes Sweden’s Digital Government Architecture
About 96% of Sweden’s 10.7 million population used e-government services in 2025, according to Eurostat.
According to an analysis by International Cyber Digest, the leaked repositories appear to originate from an internal CGI GitLab instance. The exposed code includes core government platforms that millions of Swedes interact with daily: Mina Engagemang citizen services, the Signe electronic signature portal and the Företrädarregister authorization system that governs legal representation for organizations.
The leak also contains database passwords, SMTP credentials, keystore files and embedded Git credentials exactly the type of authentication material that enables lateral movement through connected systems. Swedish IT security expert Anders Nilsson told SVT that “source code for several programs appears to exist, and from what I can see, the hack looks genuine.”
That assessment matters because source code exposure creates what security researchers call a “detailed roadmap for future attacks.” Every API endpoint, authentication mechanism and integration point is now visible to anyone with access to the leaked material.
ByteToBreach Compromised Jenkins and Escaped to Docker
ByteToBreach documented their attack methodology in the leak release, detailing how they achieved full compromise of CGI Sverige’s infrastructure through a Jenkins CI/CD server. The attack chain involved exploiting Jenkins misconfigurations, escaping from the Docker container to the host via the Jenkins user’s Docker group membership, pivoting through SSH private keys and extracting credentials from Java heap dump files and executing OS commands through SQL copy-to-program pivots.
This is the same actor behind the Viking Line breach posted one day earlier, suggesting an active campaign against Swedish infrastructure via CGI’s managed services footprint. ByteToBreach explicitly rejected the usual “third-party breach” framing, stating in their release that “this compromise belongs clearly to CGI infrastructure.”
CGI stated in an updated statement on 17 March 2026 that the incident affected a limited number of internal test servers in Sweden that were not in production. The company said there is no indication that production environments, production data or operational services were impacted. Affected customers have been notified.
The actor’s choice to make the source code freely available while selling citizen data separately indicates their primary motivation may be causing maximum disruption to Sweden’s digital government rather than purely financial gain. That strategic choice makes the breach more dangerous source code in the wild enables other threat actors to develop their own exploits.
What Swedish Organisations Must Do Now
Any Swedish organisation that integrates with government e-services should audit those API connections immediately and rotate all credentials used in government-adjacent systems. The leaked source code contains enough architectural detail to enable targeted attacks against organisations that rely on these platforms for authentication or data exchange.
Electronic signing outputs should be treated with elevated scrutiny pending a full incident assessment by Swedish authorities. The Signe portal configurations and signing workflow templates are among the exposed materials, potentially compromising the integrity verification process for electronically signed documents.
Jenkins administrators across Sweden should assume their CI/CD pipelines are misconfigured until proven otherwise. The attack methodology ByteToBreach used Docker group escalation from Jenkins users, is a common misconfiguration that exists in many environments. Review user permissions and container access controls now.
| The Record from Recorded Future News
Daryna Antoniuk
October 27th, 2025
The utility responsible for operating Sweden's power grid is investigating a data breach after a ransomware group threatened to leak hundreds of gigabytes of purportedly stolen internal data.
Sweden’s power grid operator is investigating a data breach after a ransomware group threatened to leak hundreds of gigabytes of purportedly stolen internal data.
State-owned Svenska kraftnät, which operates the country’s electricity transmission system, said the incident affected a “limited external file transfer solution” and did not disrupt Sweden’s power supply.
“We take this breach very seriously and have taken immediate action,” said Chief Information Security Officer Cem Göcgören in a statement. “We understand that this may cause concern, but the electricity supply has not been affected.”
The ransomware gang Everest claimed responsibility for the attack on its leak site over the weekend, alleging it had exfiltrated about 280 gigabytes of data and saying it would publish it unless the agency complied with its demands.
The same group has previously claimed attacks on Dublin Airport, Air Arabia, and U.S. aerospace supplier Collins Aerospace — incidents that disrupted flight operations across several European cities in September. The group’s claims could not be independently verified.
Svenska kraftnät said it is working closely with the police and national cybersecurity authorities to determine the extent of the breach and what data may have been exposed. The utility has not attributed the attack to any specific threat actor.
“Our current assessment is that mission-critical systems have not been affected,” Göcgören said. “At this time, we are not commenting on perpetrators or motives until we have confirmed information.”
therecord.media Alexander Martin
August 27th, 2025
A suspected ransomware attack on a Swedish software provider is believed to have impacted around 200 of the country’s municipal governments.
A suspected ransomware attack on Miljödata, a Swedish software provider used for managing sick leave and similar HR reports, is believed to have impacted around 200 of the country’s municipal governments.
The attack was detected on Saturday, according to the company’s chief executive Erik Hallén. The attackers are attempting to extort Miljödata, police told local newspaper BLT.
Swedish Minister for Civil Defence Carl-Oskar Bohlin wrote in a short update on social media: “The scope of the incident has not yet been clarified, and it is too early to determine the actual consequences.”
Hallén told Swedish press agency TT that around 200 municipalities and regions were affected by the incident. Sweden has 290 municipalities and 21 regions.
Several regional governments have confirmed using Miljödata systems to handle employee data, including “for example, medical certificates, rehabilitation plans, work-related injuries, and more,” according to the local government of the island of Gotland.
Hallén reportedly said Miljödata was “working very intensively with external experts to investigate what happened, what and who was affected, and to restore system functionality.”
“The government is receiving ongoing information about the incident and is in close contact with the relevant authorities,” Bohlin, the civil defense minister, said.
“CERT-SE, which has the task of supporting Swedish society in handling and preventing IT security incidents, has offered advice and support to both the company in question and the affected customers,” the minister added. “The national cybersecurity center is coordinating the measures of the relevant authorities. A police investigation is also underway.”
He stressed the incident underscored the need for high levels of cybersecurity throughout society, and said the Swedish government planned to present a new cybersecurity bill to the Swedish parliament in the near future “that will impose increased requirements on a wide range of actors.”
An unsecured server has exposed hundreds of millions of detailed records on Swedish citizens and companies, offering a data goldmine for anyone who stumbles on it.
A misconfigured Elasticsearch server has exposed a goldmine of business intelligence data with hundreds of millions of highly detailed records tied to Swedish individuals and organizations.
Cybernews researchers identified the unsecured database, which did not require any authentication and was fully accessible to the public internet.
The leaked data consisted of over 100 million records dated from 2019 to 2024, spread across 25 separate indices, with some datasets ballooning to more than 200GB in size.
What was leaked?
Many leaked records contained highly sensitive personal and organizational information, including:
Full legal names, including history of previous names
Swedish personal identity numbers
Date of birth and gender
Address history, both in Sweden and abroad
Civil status and information about deceased individuals
Foreign addresses for emigrants
Debt records, payment remarks, bankruptcy history, property ownership indicators
Income tax data spanning several years (2019–2023)
Activity and event logs (including income statement submissions, migration status, and address updates)
No longer a neutral state, Sweden is now facing a wave of cyberattacks targeting key institutions.
Sweden is under attack, Prime Minister Ulf Kristersson said on Wednesday, following three days of disruptions targeting public broadcaster SVT and other key institutions.
"We are exposed to enormous cyberattacks. Those on SVT have now been recognised, but banks and Bank-id have also been affected," Kristersson told journalists in parliament.
The attacks have been identified as Distributed Denial-of-Service (DDoS) events and disrupted services, raising concerns about the resilience of Sweden’s digital infrastructure.
While Kristersson did not name a specific perpetrator, he referred to earlier reports by the Swedish Security Service, which has identified Russia, China, and Iran as frequent actors behind such cyber operations.
The incidents have heightened concerns about vulnerabilities in Sweden’s cybersecurity systems and underscored the growing threat to critical infrastructure in one of the world’s most connected nations, where over 93% of households have internet access.
Cybersecurity experts have warned that such breaches could escalate, impacting not just digital services, but also public trust.
The attacks come amid heightened geopolitical tensions. Sweden's recent accession to NATO and its support for Ukraine have likely made it a more prominent target for cyberattacks, including those originating from hostile states.
Previously known for its military neutrality, Sweden now faces what Kristersson described earlier this year as a "new and more dangerous reality" since joining NATO in 2024.
As part of its pledge to meeting NATO's 2% of GDP defence spending target, the Swedish government has committed to invest heavily in cybersecurity and military capabilities.
Sweden’s Prime Minister Ulf Kristersson told the Munich Security Conference on Saturday that the country didn’t believe a series of submarine cable cuts in the Baltic Sea were simply coincidental.
Another undersea data cable, this time connecting Sweden and Latvia, has been severed in the Baltic Sea, officials from both countries said Sunday. The incident prompted Sweden to launch a criminal probe into the matter and seize a "suspect vessel" vessel headed for Russia.
The Cactus ransomware group claims to have hacked Coop, one of the largest retail and grocery providers in Sweden.
