National Cyber Security Exercise for State Administration organizations targeted Supply Chains and Critical Dependencies

The 2026 National Cyber Security Exercise for state administration organizations was held from 25 to 29 May. In the exercise, the aim was to influence citizen services through cyber-attacks using real-world threat actor tactics and techniques.

The purpose of the National Cyber Security Exercises (KYHA) is to develop expertise and cooperation, and to ensure the capability of critical infrastructure operators to act in cyber security crisis situations. 

"National Cyber Security Exercises are important because, in real cyber incidents situations, different actors must be able to operate together quickly, effectively, and based on a shared situational awareness. Exercise is useful when it reflects a real crisis situation—and this requires the participation of all key roles", says Janne Allonen, Deputy Cyber Security Director at the Ministry of Transport and Communications.

"The technical-operational KYHA exercise enables different personnel roles to participate in the exercise. There is a strong foundation in information technology expertise, but in addition, operational roles are needed, for example in management and in collaboration between organizations", says Tero Kokkonen, Director of Jamk's Institute of Information Technology.

This year, the Digital and Population Data Services Agency, the Finnish Patent and Registration Office, the Government ICT Centre Valtori, the Legal Register Centre, the Prison and Probation Service of Finland, and the Tax Administration participated in the state administration organizations KYHA exercise.

Cyber-attacks target systems, services and the critical dependencies

In the exercise, various cyber-attacks were targeted at organization’s systems and services, utilizing genuine tactics and techniques used by threat actors. For example, supply chain attacks that exploit interdependencies between different organizations were used as an attack method.

“The RGCE cyber range used in the exercise models not only various organizational environments, but also the systems and dependencies related to their development. This enables the use of a very wide range of different attacks, like supply chain attacks, that have been widely seen in recent years”, says Juha Piispanen, Chief Specialist at Jamk.

In supply chain attacks, it is common for a threat actor to first try to gain access to the code of a vendor that has been identified as trustworthy, which organizations use in their own operations. With the help of this connection, the intention is to eventually be able to influence the actual target organization. For example, an attacker can sneak malicious code into a widely used software update, infecting all the organizations that installed it at once.

Realistic threats and threat actors

In addition to supply chain attacks, the exercise included attacks on organizations’ systems and services, threatening or preventing their operations, and stealing authentic customer and demographic information. 

"One of the objectives of the exercise is to develop cooperation between organizations in serious cyber incident situations. To enable the exercise participants to work together in conditions that closely resemble real-life situations, it is essential that we model realistic threat actors and the attacks they use in the exercise scenario", says Kokkonen. 

The National Cyber Security Exercises will be carried out by the Jyväskylä Security Technology (JYVSECTEC), a research, development and training centre located at Jamk's Institute of Information Technology in cooperation with the Ministry of Transport and Communications. The Security Committee also participates in a guiding role.

Further information

Janne Allonen, Deputy Cyber Security Director, Ministry of Transport and Communications
[email protected]
p. 0295 342 212

Tero Kokkonen, Director, Institute of Information Technology, Jamk University of Applied Sciences
[email protected]
p. 050 4385 317