"I can confirm there has been a severe and large hacking in the ministry's data network," Tuomioja told reporters on Thursday. It would appear that the breach was discovered last spring, and had been ongoing for several years. MTV3 has suggested (Google translation) that it is not certain that the infection has yet been been fixed. Tuomioja said that the Finnish intelligence service is investigating the breach as a case of serious espionage.
The ministry of foreign affairs CIO, Ari Uusikartano, has described the malware as similar to but more sophisticated than Red October (Rocra). Rocra has in the past been implicated in large scale espionage against numerous governments in east and west Europe, North America and central Asia.
Tom Goren Bar, a data security researcher at Imperva, described Red October's capabilities earlier this year. “The potential bounty that can be extracted from... victims is varied both in content and in type: documents and presentations of meeting summaries and strategic plans, database financial records, CRM records, technical blueprints of weapons and infrastructure, sensitive email conversations and more,” he said.
The MTV3 report claims that the breach was not discovered by the Finns themselves, but from a foreign tip-off reported to CERT.FI; but that the Finnish authorities kept the information under wraps.
Although MTV3 pointed the finger at Russia or China, Tuomioja declined to name any suspects, or even suggest that it involved specifically state or non-state attackers. Stonesoft's Jarno Limnell pointed out that it is difficult to be certain where an attack originates: "At this stage it is very difficult to say where the espionage against Finland originated.” Nevertheless, he added, it would not be surprising to find that espionage on this scale is state-sponsored. “This is the modern reality," he said, "states spy in the digital world just as actively” as cybercriminals.
Tuomioja insisted that Finland's most sensitive state secrets, kept on a separate system, were not affected by the intrusion. The primary target seems to have been Finland's communications with the European Union. He suggested that other European countries had also been affected, but declined to name them since an investigation is ongoing.