DDoS attack on Nordea: this is what happened
In September 2024, Nordea suffered the largest DDoS attack in its history. In this article, we take you behind the scenes of what actually happened – from the very first signs of the attack to the crisis management taking place in the control room.
DDoS (Distributed Denial of Service)
An attempt to overwhelm a system, typically a web server, with a flood of traffic to render it inaccessible. It is like sending thousands of fake customers to a shop, thereby preventing real customers from entering.
Previously, this would require high technical skills and access to special equipment. Today, a DDoS attack may be bought as a service – a bit like ordering a pizza.
The initial attacks
Rune Espensen is also a member of Nordea’s first response team. In the event of a serious incident – such as a cyber attack – that team is the first to be mobilised.
Given the serious consequences of downtime and data breaches, the first response team must react swiftly, accurately and in a coordinated manner.
Therefore, plans, exercises and phone chains have been prepared to ensure an effective response – even at 3.00 in the morning.
Fortunately, these contingency measures are seldom required. But this means that they are practised regularly to keep the team ready.
On the morning of 13 September 2024, when Rune Espensen was informed of the incident, it was clear this was no drill.
"I'm notified of an irregular DDoS attack. We're used to that as it happens regularly. But this time, the impact was real, and that obviously changed the nature of the incident,” says Rune Espensen.
“As we’ve become good at mitigating DDoS attacks, we considered it a matter of routine, agreeing on the measures to take and expecting a calm weekend.”
On Saturday morning, while 29,000 people set out on the 21.0975-km Copenhagen Half Marathon, Rune Espensen received another phone call. The DDoS attacks had not stopped. This took place while a planned failover test was to be performed, shutting down one of Nordea's data centres to test its resilience.
In practice, this implied that Nordea’s IT infrastructure was functioning at limited capacity.
As the DDoS attacks had been mitigated and all systems were running as planned, it was assessed that the test could continue.
Nordea's IT systems starting to show signs of weakness
The attacks continued on Sunday, giving rise to suspicions that something major was unfolding.
As the situation repeated itself on Monday, Nordea’s IT systems began to show the first signs of weakness. Services started to become inaccessible, and customers were occasionally unable to log on to their online bank.
“Unfortunately, we are currently facing technical challenges, which are affecting access to online and mobile banking,” Nordea informed the newspaper Ekstra Bladet on Monday 16 September.
Behind the scenes, Nordea's IT security team was trying to make sense of the situation. Over the weekend, they had successfully repelled the attacks and introduced appropriate protection against new ones – why did they continue? Why were the systems overloaded?
On Tuesday, the DDoS attacks escalated in both number and intensity. Services were once again down, and now, it was becoming serious.
“We're under attack. Not just a classic DDoS attack as we know them but an advanced and coordinated attack," Rune Esepensen recalls and continues:
"The surprising element was the complexity. Usually, we see one or two familiar DDoS techniques — but in this case, we identified around 15. That suggested an entirely different opponent than we're usually up against."
400 attacks in just over a month
As a consequence, parts of the failover test were cancelled to concentrate fully on responding to the attack.
During the approximately 40 days of the attacks, Nordea experienced the largest DDoS attack in the bank's history.
The bank systems were bombarded. 400 attacks in just over a month. That is a substantial number when the entire year had seen about 20.
During this period, Nordea also experienced a system failure, which only increased the considerable pressure that the IT systems were under. This had nothing to do with the DDoS attacks, but the group behind the attacks saw it differently.
“They reacted and intensified their efforts – probably believing that it was their work,” says Rune Espensen.
"So we're seeing not only an attack of immense scale and technical complexity, but also an opponent who is trying to exploit the situation tactically."
Nordea not the primary target
At this point, it is clear that Nordea is facing an adversary with resources and skills far beyond what you would expect from a teenager in a bedroom. Suspicions about a major player were only strengthened by the fact that not only Nordea’s incident response was tested in this period.
“We know for certain that Nordea was not the primary target. The entire Swedish banking sector was affected, in addition to a few Finnish banks. We also saw similar attacks elsewhere in the world.”
According to Rune Espensen, customer data was at no point at risk.
The attack only prevented certain customers, during certain periods, from using online banking services. Since DDoS attacks are primarily designed to overwhelm systems and services, a financial motive seems unlikely. So that suggests another motive.
Rune Espensen's analysis is that it was about creating uncertainty and noise – so take a guess as to who might be interested in that.
“This is a type of destabilisation that we see more and more often: attacks which may not necessarily damage a specific company, but rather the trust and stability of society. The goal is to sow doubt among ordinary Danes: 'Is my money secure?'," says Rune Espensen and continues:
“Yes, your money was secure – the system was just overwhelmed by traffic."
Not worried
As a consequence of the incident, Nordea's DDoS defence has been further strengthened. It was already at a high level, Rune Espensen says.
“Our IT infrastructure is complex – we're a major bank, which obviously increases the IT security challenges,” he says and goes on:
“But even though it's complex, we're good at it. We comply with current regulations and exceed the regulated baseline in many areas. Of course, we're always considering whether areas need to mature or be improved,” he says.
"I sleep well at night. I'm confident that the bank's incident response is under control,” he adds.
Criminals share knowledge – we should too
Mads Skovlund Pedersen – and now Rune Espensen – are not being relatively transparent about the advanced malicious calls just to feed the press a good story.
It is about enhancing knowledge sharing in the sector.
“That’s why I’m talking to you right now – and why I’ve been telling people about it at conferences and on other occasions. It's no use keeping it secret,” says Rune Espensen and continues:
“We need to have a wider and more open conversation in society. We have to become wiser together, because we know that's what the criminals do. They share techniques, tactics and knowledge about how and when to attack. That’s why we also need to become better at sharing our experiences with the sector and society at large.”
Although, during the first days of the attack, many customers experienced online and mobile banking being down in certain periods, Nordea quickly gained control of the situation in cooperation with a supplier.
According to Rune Espensen, about 90 per cent of the attacks were mitigated.
"Almost all of the 10 per cent that had an impact took place in the first week – around 85 per cent. Once we understood the nature of the attack, we quickly determined how to respond.”