Sweden’s national power grid operator, Svenska kraftnät, has confirmed it suffered a data breach following a claim by the Russia-linked cybercrime group Everest ransomware gang. The hackers say they obtained 280 gigabytes of data from the operator, though the exact contents of the theft remain unknown.
According to the operator’s head of information security, the breach was discovered after a security researcher alerted the company that Everest had posted data on its leak platform. The operator said it is investigating the incident, and emphasised that its electricity supply remains unaffected.
The company stated that an external file transfer solution was compromised. Officials emphasised that, while data was accessed, there is no indication that vital operational systems were impacted. The investigation is ongoing, and authorities have not publicly disclosed what type of records were exposed.
Meanwhile, Everest claimed on its leak site that it accessed hundreds of gigabytes of data from Svenska kraftnät, and threatened to release more unless its demands are met. However, the operator has not confirmed whether the data is genuine or what the full impact may be.
Why critical infrastructure organisations are targeted
Operators of national grids and other infrastructure are attractive targets because they manage large volumes of sensitive data and form part of essential services. Attackers may use stolen information for extortion, to gain a strategic advantage, or to cause disruption indirectly.
In this case, the fact that operational systems were unaffected shows how attackers may focus on data theft rather than direct sabotage. The operator’s rapid acknowledgement of the incident and cooperation with authorities reflects the growing focus on response and transparency in infrastructure breaches.
What this means for users and national security
While there is currently no threat to Sweden’s electricity supply, the breach raises questions about the security of non-core systems that support critical infrastructure. External file transfer tools, access portals, and data warehouses are common attack vectors. Organisations must treat them as part of the attack surface.
From a national security perspective, the attack illustrates the evolving tactics of cybercrime and ransomware groups. Instead of targeting operations directly, adversaries increasingly seek data for leverage, either through ransom or publication. That shift complicates detection and mitigation efforts, especially when data becomes a commodity.
What Svenska kraftnät is doing next
Svenska kraftnät said it is working with Swedish law enforcement and cybersecurity agencies to determine the full scope of the breach. The company is reviewing the impacted tool, assessing any data exposed, and strengthening its security posture accordingly. The company also committed to providing updates as the investigation proceeds.
The operator also clarified that electricity transmission operations remain stable and unaffected at this time. That assurance aims to maintain public trust and reassure stakeholders that the incident has not compromised grid reliability.