Nordic Watch Threat Insights - July 2025
We share this regular Nordic roundup to provide a timely selection of threat intelligence developments in the Nordics. We gather and analyse this threat intelligence from both open sources and our own resources.
Finland
- Interference with Automatic Identification Systems (AIS) used for navigation in the maritime industry has been detected in the Gulf of Finland, once again making headlines. Vessels near the Finnish-Russian maritime border appear to move in circles due to spoofed GPS or tampered AIS signals. Experts link the activity to attempts to obscure Russia’s shadow fleet operations amid sanctions and advise sailors to remain cautious of the interference.
- A user on a dark web forum was distributing two separate combo lists containing Finnish email addresses (.fi domains) while a pro-Russian hacktivist, Dark Storm Team, targeted Suomen Pankki and BOFIT with DDoS attacks.
Norway
- Ransomware attacks by Nightspire and Sarcoma ransomware claimed to have stolen 78GB from Norgehus (home building), DataTrykk (graphic design firm), and Lars Myhre Østfold AS (an engineering-consulting firm).
- Chinese state-sponsored hacking group Mustang Panda has intensified espionage operations across Europe (incl. Denmark & Norway), targeting government and maritime organizations using malicious USB drives and advanced Korplug malware loaders.
Denmark
- Esbjerg Port in Denmark, a key NATO hub, has faced millions of cyber attacks since the war in Ukraine began. Attacks intensify during U.S. military shipments, with a recent DDoS surge exceeding million attacks in just 23 hours. Officials suspect Russia is seeking intelligence on NATO activities.
- Arla Foods, a Danish-Swedish multinational cooperative, suffered a cyberattack that left a dairy facility in Germany offline for nearly two weeks, disrupting the production of skyr and yogurt. The attack is believed to have exploited a critical vulnerability in SAP NetWeaver software. While operations at other Arla sites remain unaffected.
Sweden
- Play and Sarcoma ransomware claimed AKJ Energiteknik (an energy sector specialist in installations and servicing) and APH Svenska (a flower importer) as victims, with 174 GB stolen.
- In Kalmar Region, a government employee is suspected of a data breach by accessing their relative’s medical records.
- A hacker, going by the moniker of 0x1, is attempting to sell WordPress Shop Admin access to an unnamed online shop in Sweden. The threat actor is looking for $500 USD minimum for access.
Subscribe to DNV Cyber Threat Intelligence Updates
Sign up for regular complementary threat insights from DNV Cyber directly to your inbox. Find out what is included in the latest update.
Our threat intelligence service provides deeper insights and curates intelligence specifically for your business