Full Report
A representative of NCSC-FI shared some lessons learned from a 2024 data breach affecting the Finnish capital
Analysis Summary
# Incident Report: Helsinki City Data Breach via Unpatched Firewall
## Executive Summary
A significant data breach occurred at the City of Helsinki in April 2024, resulting from the exploitation of an outdated Cisco firewall appliance, exposing sensitive personal data belonging to over 300,000 individuals. The incident involved initial brute force attacks leading to credential compromise, subsequent lateral movement, and the exfiltration of approximately 2TB of documents. The National Cyber Security Centre of Finland (NCSC-FI) provided extensive support in containment, technical remediation, and communication planning until the situation stabilized.
## Incident Details
- Discovery Date: April 30, 2024 (Report filed to NCSC-NI at 11:30 PM)
- Incident Date: Began on or before April 30, 2024
- Affected Organization: City of Helsinki (specifically the Education Division - KASKO)
- Sector: Government/Municipal Services
- Geography: Helsinki, Finland
## Timeline of Events
### Initial Access
- Date/Time: Pre-April 30, 2024 (Exact start unknown, but related to old credentials)
- Vector: Exploitation of a vulnerability on a Cisco ASA 5515 firewall appliance.
- Details: The attacker used brute force attacks against the system, then exploited a vulnerability via a remote connection utilizing Cisco AnyConnect software, gaining remote access due to credentials found on the dark web. The appliance had not been updated since 2016.
### Lateral Movement
- Following the initial compromise, the attacker moved laterally within internal systems, gaining privileged access to Microsoft Active Directory, a virtualization server, and a backup server.
### Data Exfiltration/Impact
- Approximately 10 million documents, totaling 2TB of data, were stolen.
- The compromised data affected over 300,000 people, including city employees, childcare benefit applicants, school staff, and students.
- No passwords were compromised in the breach, and no ransom demand was issued.
### Detection & Response
- **April 30, 2024:** City of Helsinki filed a report concerning a potential breach to NCSC-NI.
- **May 1, 2024:** Public disclosure issued, impacting the Education Division (KASKO).
- **Within days:** The infected Cisco ASA firewall appliance was identified.
- **May 9, 2024:** NCSC-FI formally began providing high-level support (Special Case), allocating 10-20 staff for technical remediation, compliance, and communication.
- **May 30, 2024:** NCSC-FI conducted an internal 'lessons learned' session.
- **June 2024:** NCSC-FI stabilized involvement; technical guidance continued until the end of the month.
- **July 2024:** Safety Investigation Authority of Finland (SIAF/OTKES) began its forensic investigation.
- **June 17, 2025:** SIAF published its technical report.
## Attack Methodology
- **Initial Access:** Brute force combined with a vulnerability exploit against an outdated, internet-facing Cisco ASA firewall appliance (last updated 2016) via Cisco AnyConnect. Credential reuse from the dark web was leveraged.
- **Persistence:** Not explicitly detailed, but maintaining access was required to complete data theft.
- **Privilege Escalation:** Gained privileged access to Active Directory and other critical servers post-initial access.
- **Defense Evasion:** Not explicitly detailed, but the compromise of an edge device allowed access before common internal defenses might have triggered.
- **Credential Access:** Used credentials found on the dark web to exploit the AnyConnect connection.
- **Discovery:** Likely involved reconnaissance on the internal network using compromised AD access.
- **Lateral Movement:** Movement to virtualization and backup servers.
- **Collection:** Gathering approximately 2TB of documents.
- **Exfiltration:** Data theft occurred, though methods are not specified.
- **Impact:** Massive exposure of personal data relating to city residents and employees.
## Impact Assessment
- **Financial:** Helsinki has a budget of €4-5m ($4.6-5.8m), but specific recovery costs are not detailed.
- **Data Breach:** Sensitive personal data of over 300,000 people, including city employees, childcare applicants, and students. Approximately 2TB of data stolen.
- **Operational:** Initial disruption requiring significant cross-agency response mobilization.
- **Reputational:** High public profile incident due to the organization being the capital city and largest employer.
## Indicators of Compromise
- **Network indicators (Defanged):** Exploitation related to Cisco AnyConnect remote connections on edge devices.
- **File indicators:** N/A - Focus was on device compromise and data exfiltration.
- **Behavioral indicators:** Brute force attempts preceding successful remote exploitation; privileged access attained on AD, virtualization, and backup servers.
## Response Actions
- **Containment:** Technical remediation efforts advised by NCSC-FI focusing on the compromised firewall (implied removal or patching/replacement).
- **Eradication:** Focused heavily on clearing the threat from internal systems utilizing NCSC-FI technical guidance.
- **Recovery:** Planning for communication, compliance mandates, and data breach reporting (victims notified after initial assessment corrections).
## Lessons Learned
- Cyber incidents involving the compromise of **unpatched or obsolete edge devices** must be treated as critical incidents.
- Organizations must pre-prepare for the **logistics of incident response**, including defining communication tools and operational templates beforehand.
- Incident response task forces must include a **diverse range of profiles**, specifically those with prior cyber incident experience and those with fresh external perspectives.
- Incident responders should maintain professional communication channels (keep chats clean) and **share information proactively** to fill potential information vacuums.
## Recommendations
- **Vulnerability Management:** Immediately establish and strictly enforce patch cadence, especially for internet-facing edge devices (e.g., VPN concentrators/firewalls should not be running software versions 8 years out of date).
- **Credential Hygiene:** Implement stronger controls or MFA for remote access mechanisms like VPNs, regardless of reported dark web credential exposure.
- **IR Preparedness:** Develop and rehearse formalized Incident Response playbooks that address communication strategies and task force composition before an event occurs.
- **Risk Prioritization:** Develop internal frameworks (similar to the NCSC-FI's planned three-tier system) to effectively triage and allocate organizational resources to critical incidents quickly.