Sweden’s E-Government Source Code Leaked After ByteToBreach Breaches CGI Sverige

A threat actor calling itself ByteToBreach claims to have leaked the complete source code of Sweden’s e-government platform, after allegedly compromising CGI Sverige AB’s infrastructure. The leak includes the full source code for critical government services, API documentation, signing systems and embedded credentials that could enable further attacks across Sweden’s digital government ecosystem.

ByteToBreach published the leaked materials on 12 March across multiple open web forums and file-sharing platforms, according to Threat Landscape and Dark Web Informer. CGI Sverige AB is the Swedish subsidiary of CGI Group, a global IT services firm that manages critical digital infrastructure for the Swedish government. The actor has made the source code available for free while selling citizen databases and electronic signing documents separately.

The Leak Exposes Sweden’s Digital Government Architecture

About 96% of Sweden’s 10.7 million population used e-government services in 2025, according to Eurostat.

According to an analysis by International Cyber Digest, the leaked repositories appear to originate from an internal CGI GitLab instance. The exposed code includes core government platforms that millions of Swedes interact with daily: Mina Engagemang citizen services, the Signe electronic signature portal and the Företrädarregister authorization system that governs legal representation for organizations.

The leak also contains database passwords, SMTP credentials, keystore files and embedded Git credentials exactly the type of authentication material that enables lateral movement through connected systems. Swedish IT security expert Anders Nilsson told SVT that “source code for several programs appears to exist, and from what I can see, the hack looks genuine.”

That assessment matters because source code exposure creates what security researchers call a “detailed roadmap for future attacks.” Every API endpoint, authentication mechanism and integration point is now visible to anyone with access to the leaked material.

ByteToBreach Compromised Jenkins and Escaped to Docker

ByteToBreach documented their attack methodology in the leak release, detailing how they achieved full compromise of CGI Sverige’s infrastructure through a Jenkins CI/CD server. The attack chain involved exploiting Jenkins misconfigurations, escaping from the Docker container to the host via the Jenkins user’s Docker group membership, pivoting through SSH private keys and extracting credentials from Java heap dump files and executing OS commands through SQL copy-to-program pivots.

This is the same actor behind the Viking Line breach posted one day earlier, suggesting an active campaign against Swedish infrastructure via CGI’s managed services footprint. ByteToBreach explicitly rejected the usual “third-party breach” framing, stating in their release that “this compromise belongs clearly to CGI infrastructure.”

CGI stated in an updated statement on 17 March 2026 that the incident affected a limited number of internal test servers in Sweden that were not in production. The company said there is no indication that production environments, production data or operational services were impacted. Affected customers have been notified.

The actor’s choice to make the source code freely available while selling citizen data separately indicates their primary motivation may be causing maximum disruption to Sweden’s digital government rather than purely financial gain. That strategic choice makes the breach more dangerous source code in the wild enables other threat actors to develop their own exploits.

What Swedish Organisations Must Do Now

Any Swedish organisation that integrates with government e-services should audit those API connections immediately and rotate all credentials used in government-adjacent systems. The leaked source code contains enough architectural detail to enable targeted attacks against organisations that rely on these platforms for authentication or data exchange.

Electronic signing outputs should be treated with elevated scrutiny pending a full incident assessment by Swedish authorities. The Signe portal configurations and signing workflow templates are among the exposed materials, potentially compromising the integrity verification process for electronically signed documents.

Jenkins administrators across Sweden should assume their CI/CD pipelines are misconfigured until proven otherwise. The attack methodology ByteToBreach used Docker group escalation from Jenkins users, is a common misconfiguration that exists in many environments. Review user permissions and container access controls now.

References

1. Sweden E-Government Source Code Leaked via CGI Sverige AB Breach – Threat Landscape
2. Full Source Code of Sweden’s E-Government Platform Leaked From Compromised CGI Sverige Infrastructure – Dark Web Informer
3. International Cyber Digest: Sweden E-Government Source Code Analysis
4. Data: Swedish government IT system hacked – Sweden Herald
5. Data Breach Statistics 2025-2026 – BitSight Technologies
6. Sweden Investigates Suspected Hack of E-Government Platform
7. Sweden probes reported leak of e-government platform source code
8. CGI informs about incident related to internal test servers

This post is also available in: Svenska