A significant cyberattack has reportedly targeted CGI Sverige, the Swedish subsidiary of the global IT consulting firm CGI Group, leading to the alleged leak of sensitive source code and other materials. This incident, confirmed by Swedish authorities, raises significant concerns given the widespread use of e-government services in the nation and appears to be part of a broader campaign by a notorious threat actor.
The Breach Unfolds
Cybersecurity circles and local media first reported the claims by a threat actor self-identifying as ByteToBreach, who published material purportedly originating from CGI Sverige. While CGI acknowledged an incident involving two internal, non-production test servers where an older application version and its source code were accessible, they initially stated no customer production data or operational services were compromised. However, the severity escalated when Carl-Oskar Bohlin, Sweden's Minister for Civil Defense, officially confirmed the data breach, announcing a government investigation alongside CERT-SE and the National Cybersecurity Center. The authenticity of the compromised resources was further corroborated by IT security expert Anders Nilsson, lending credibility to the hacker's claims.
Unveiling Potential Risks and Broader Campaigns
The implications of the leaked data extend far beyond initial assessments. Although CGI indicated the breach affected test environments, the files could potentially contain sensitive information such as the source code for e-government platforms, internal staff databases, citizens' personally identifiable information (PII), and electronic signature documents. Given that approximately 95% of Sweden's population utilized e-government services in 2024, the exposure of such foundational code, even from test systems, carries a consequential risk of enabling future attacks by identifying vulnerabilities in public-facing systems. Furthermore, this incident is not isolated. Threat intelligence platform Threat Landscape has warned that ByteToBreach is actively targeting public-facing cyber infrastructure across Sweden and Europe. The same actor was responsible for the Viking Line breach just a day prior, suggesting a concerted and ongoing campaign against critical European infrastructure, potentially leveraging CGI’s managed services footprint as an entry point. This context elevates the CGI Sverige breach from a singular security lapse to a component of a wider, more concerning pattern of cyber aggression.
