Finland sees fourfold spike in ransomware attacks since joining NATO, senior cyber official says

Ransomware attacks targeting Finnish organizations have increased four-fold since the Nordic country began the process of joining NATO last year, according to a senior official.

In an interview with Recorded Future News on Thursday, Sauli Pahlman, the deputy director general for Finland’s National Cyber Security Centre (NCSC), cautioned that “correlation doesn't equal causality," but said he believed the surge in cases was linked to geopolitics.

Finland, which had historically declared itself to be a non-aligned country – in part due to troubled relations with Russia, with whom it shares a 830-mile border – applied to join NATO following the invasion of Ukraine.

In June, the country expelled nine diplomats from the Russian embassy in Helsinki and accused them of undertaking intelligence missions in contravention of the Vienna convention on diplomatic relations.

The expulsion of alleged Russian intelligence officers throughout Europe prompted the head of Finnish Security Intelligence Service (SUPO) to warn last year that Russia would “turn to the cyber environment” for espionage due to challenges impacting its human intelligence work.

At the time, SUPO's director Antti Pelttari said that the agency considered it “unlikely that any cyberattack will paralyze critical infrastructure [in Finland] in the near future.”

NCSC’s Pahlman echoed this position, telling Recorded Future News he didn’t “consider it very likely that we [will] really see a cyber incident in Finland that really closes down something that's critical for society — food, electricity, water — on a wide scale.”

But the NCSC still issued a public alert last September, elevating the cyber threat level to encourage organizations and the public to be aware of the potential for disruptive incidents. The threat level “continues to be elevated as we speak, the situation hasn't changed,” said Pahlman.

The number of cyber incidents which Pahlman said were clearly perpetrated by state-sponsored actors “has not, at least up to today, increased in a way that I could say that there has really been a step-up. [But] what we can certainly say is that the ransomware cases — which tend to have much obviously more severe consequences, at least for the targeted organizations — those have increased.”

Last October, the country’s Computer Emergency Response Team said it had received more notifications about distributed-denial-of-service (DDoS) attacks than it had ever received before — equivalent to a quarter of what it normally is alerted to throughout an entire year.

There is a “huge variety of different incidents, you know, from a totally harmless DDoS [targeting] a website almost no one ever visits, to a ransomware attack which blocks the production or operation of something that is, if not critical, at least important to society, or part of it,” said Pahlman.

“There's a lot of stuff that falls in between these, but if we look at the numbers over the past couple of years, the overall volume of the incidents we detect or get reported, we see a pretty steady increase.”

The most visible changes for Finland’s NCSC has been the increase in the number of ransomware incidents, which have gone up as much as “four-fold, even compared to the volumes we were seeing or were getting reported in 2021,” said the deputy director general.

But fortunately Finland hasn't seen any incidents that have been so disruptive as to be publicly visible. Pahlman credits the “quite high” level of preparedness among Finnish organizations compared to their international counterparts.

The role of resilience as part of an effective cyber defense has been increasingly questioned by Western officials who are observing the increasing number of cyberattacks targeting both the public and private sectors.

In a recent essay, NATO’s assistant secretary general for emerging security challenges, David van Weel, called for “a shift away from the mentality of relying exclusively on deterrence by denial—persuading an adversary not to attack by convincing it that an attack will not achieve its intended goal. Instead, we need to foster an entirely new mindset regarding how to operate, compete, and, if necessary, fight in the cyber domain.”

Van Weel’s colleague, Christian-Marc Lifländer, the head of NATO's cyber and hybrid policy section, compared the situation to the metaphor of a frog being slowly boiled alive in a recent interview with Recorded Future News.

Pahlman said he was similarly concerned: "It's been happening for years and if it keeps happening then things aren't going in the direction we want them to go... the situation isn't critical in any way, it's just a trend that will become a problem in 5 or 10 years if it continues.”

He said attributing attacks “doesn’t hurt, it's another tool in the toolkit which probably has a positive impact on the diplomatic level," and said “more tools in this toolkit are really needed,” although he didn’t have “a strong opinion” on what those tools were.

“Obviously, offensive [capabilities], attacking back, is something that's publicly discussed often... The world's superpowers, the larger states, they all have offensive capabilities, we've read about them over the years, however at least statistically they haven't been able to save these nations from being targeted by attacks, sometimes even in pretty severe cases,” said Pahlman. “So I don't believe there's a single silver bullet.”