In 2023, CloudNordic, a European cloud hosting provider, suffered a ransomware attack that destroyed customer data and backups simultaneously.

The outcome of the CloudNordic ransomware attack was bad enough for the company’s CEO to go on public radio and say he was “furiously sad” and that there would be no company left after recovery.

SplitSecure protects enterprises from attacks like the one that brought down CloudNordic

So, how did the CloudNordic ransomware attack destroy backups and ultimately shut down a business?

The core reason was that CloudNordic’s attacker was able to access administrative systems that had been granted unilateral authority to modify both live data and recovery data without independent constraint.

There was a single point of failure in CloudNordic’s secret management system.

CloudNordic's post-incident analysis revealed that the root cause of the extensive damage was a failure of separation of duties.

Below, we show you exactly what went wrong during the CloudNordic ransomware attack so you can avoid a similar situation in your organization.

The CloudNordic Ransomware Attack Chain

1. Attackers compromised CloudNordic's internal network through an initial access vector that remains unknown.
2. From there, they escalated into the internal customer management network.
3. The attackers reached the control plane used to administer customer environments.
4. Production workloads and backups were governed by the same administrative domain.
5. Attackers encrypted both production systems and backups simultaneously.
6. Customer virtual machines were rendered unusable. For many customers, recovery was not possible.

Unilateral Authority Created a High Risk of Business Failure

CloudNordic ran an ISO27001-compliant operation, but it still had a core vulnerability. Their administrative systems had unilateral authority over both live data and recovery data. Once an identity was trusted, its authority was unconstrained.

An attacker, therefore, only needed one path to an account with unconstrained authority to execute irreversible actions.

In the table below, we break down the critical points where Cloud Nordic’s security controls failed.

Code Spaces Experienced a Similar Failure In 2014

Back in 2014, Code Spaces experienced a similar failure of its authentication systems.

After an attacker gained access to the company's cloud management console, production systems and backups stored in the same account were deleted.

There was no independent recovery path. The company shut down within days.

The root cause was the same as CloudNordic’s in that a single administrative domain controlling both production and recovery. Learn more on our Substack.

3 Lessons from the CloudNordic Ransomware Attack

The business risks from relying on reactive security controls are enormous, but beyond this high-level lesson, there are three core takeaways for data centre operators or any organization with a low tolerance for operational downtime:

1. If administrative systems have unilateral authority over production and backups, a single breach can destroy both. Stronger authentication does not solve this, i.e., the control has to exist at the action itself.

2. Separation of duties must be enforced by architecture, not policy, and multi-party approval for irreversible actions is not overhead. It is the only defense against single-point-of-failure attacks.

3. The distinction between reversible and irreversible risk is what separates an incident from a company-ending event.

Distributed Secrets Management Would Have Mitigated The CloudNordic Attack

With SplitSecure, the attacker could not have executed the ransomware attack even after compromising internal systems. No single path leads to an account with unconstrained authority.

No single point of failure.

• With SplitSecure administrative secrets are split across multiple devices.
• No single device ever holds a complete credential.
• Attackers would need to compromise a majority of devices simultaneously.

Separation of duties enforced by architecture.

• No single identity can destroy both production systems and their backups.
• Multi-party approval required for actions with irreversible impact.
• This is cryptographic enforcement, not policy documentation.

Every request logged automatically.

• Cannot use the system without generating an audit trail.
• Anomalous access patterns would have triggered alerts immediately.
• Verifiable proof that controls were followed,  not just that access was granted.

CloudNording Ransomware Attack FAQs

What was the CloudNordic ransomware attack?

In 2023, CloudNordic, a European cloud hosting provider, suffered a ransomware attack that encrypted both production systems and backups simultaneously, destroying customer data with no recovery path.

How did CloudNordic lose customer backups?

Production workloads and backups were governed by the same administrative domain. When attackers reached the control plane, they could encrypt both simultaneously.

What is separation of duties in cloud infrastructure?

Separation of duties ensures that no single identity can perform actions that could cause catastrophic damage alone. In cloud infrastructure, this means no single account should control both production systems and their backups.

How do you prevent a single compromised account from causing irreversible damage?

By requiring multi-party approval for high-impact actions and distributing secrets so that no single device holds complete credentials. This is the approach SplitSecure uses.

What is the difference between reversible and irreversible risk?

Reversible risks (like fraudulent bank transactions) can be flagged, paused, or reversed. Irreversible risks (such as wiped device fleets, deleted production clusters, or destroyed cryptographic keys) cannot be undone within business timelines.

Protect Your Organization From Irreversible Failure

See how SplitSecure's distributed secrets architecture prevents single-point-of-failure attacks on your most critical systems.