Lessons from the Svenska kraftnät breach and the new face of ransomware.
Okay, mi gente, let’s talk about something serious that just happened in Sweden. It’s a story every country running critical infrastructure should pay close attention to.
Late October 2025, Svenska kraftnät, Sweden’s state-owned power grid operator, was hit by a cyberattack. The culprits? The infamous Everest ransomware gang.
Now, here’s the good news first: the lights in Sweden stayed on. The attack didn’t reach the operational systems that control electricity flow.
But ¡ojo! (watch out), the hackers managed to steal around 280 GB of data from an external file transfer system. That’s a lot of potential secrets, internal docs, maybe even credentials.
The timeline shows how fast things escalated. On Saturday, Oct. 25, Svenska kraftnät noticed suspicious activity on an isolated file transfer server. That same night, Everest boasted about their conquest on the dark web, threatening to leak the stolen files if the company didn’t “talk.”
By Sunday morning, Svenska kraftnät had gone public, confirming the breach and reporting it to the police. No hiding, no delay. They owned up fast. That transparency? Muy bien.
Data Theft, Not Encryption: The New Ransomware
So, what’s really going on here? This wasn’t your old-school ransomware where files get encrypted.
No, amigos. This was data theft and extortion.
Everest didn’t bother locking anything; they just stole the data and used the threat of exposure as their weapon. This “no encryption” trend is becoming the new flavor of ransomware: lower noise, same pain.
Here’s what made the difference: segmentation. The breached server was isolated from the control network. That saved them from disaster. The hackers couldn’t jump from IT to OT (Operational Technology).
This, my friends, is why we separate business systems from operational systems like oil and water.
Big Lessons for Critical Systems
Still, there are big lessons here for everyone managing critical systems:
- Monitor your exposed assets. The file transfer system was internet-facing. That’s like leaving a side door unlocked. You better have a camera and an alarm on it.
- Patch fast, patch smart. In 2025, ransomware groups are hunting for file transfer vulnerabilities like sharks smelling blood.
- Segment everything. Svenska kraftnät’s network design kept the grid safe. Without that, this story could’ve ended very differently.
- Communicate clearly. Their CISO, Cem Göcgören, did it right: fast public confirmation, calm tone, close coordination with CERT-SE and MSB. That’s how you keep trust when everything’s on fire.
Who Are These Hackers?
And the hackers? Everest is no small-time crew. They are Russian-speaking, financially motivated, and always chasing high-value targets: airports, aerospace, and now a power grid operator.
They love the drama. They don’t care about politics, just dinero and reputation.
The Real Takeaway
So, what can we learn here? Even when the power keeps flowing, a data breach in a national grid operator shakes confidence. It shows how information security is part of energy security.
The attack reminds us: the threat isn’t always to the turbines or the substations. Sometimes it’s the systems around them, the quieter corners, that open the door.
In the end, Sweden’s lights stayed on thanks to good design and fast action. But the countdown for the data leak still looms, and the story isn’t over yet.
Stay sharp, amigos. Keep your networks segmented, your patches current, and your crisis playbook ready. Because as we’ve seen, even the most secure grid can be threatened by just one exposed server.
Electricity stayed safe this time, but cybersecurity must stay ahead to keep it that way. Stay Safe!
Javiertech 
Leave a comment