The boy was prosecuted in March for breaking into the computer network at Uppsala University, but Tuesday’s New York Times reported that this could merely have been a “base” for launching more serious attacks.
The revelation comes at the end of a year-long investigation. Security flaws at certain high profile companies and authorities were exploited, allowing the hacker to steal passwords and usernames via computers in several different countries.
One of the corporate victims was global networking company Cisco, which had software and security-related programming instructions stolen. The details were later published on a Russian web site.
According to the New York Times, the FBI are now working with Swedish police, as well as police in other countries. The boy is in the care of his parents and his computers have been confiscated.
“We are very encouraged that an arrest has been made in Sweden and will continue to work with the appropriate law authorities,” Cisco spokesman David Cook said.
“We will take every measure to protect our intellectual property and take this issue extremely seriously as you would expect.”
Cook said another suspect had been arrested last year in Britain. The FBI declined to comment on the action in Sweden but said an ongoing investigation has received cooperation from authorities in other countries.
“The FBI fully recognizes the inherent sophistication and global nature of intrusion investigations,” the US law enforcement agency said in a statement.
“As such, we have worked hard to develop strong partnerships within the international law enforcement community. In this case, we have been working closely with our international partners to include Sweden, Great Britain and others. As a result of recent actions, the criminal activity appears to have stopped.”
Cook added that the posting of the code on the Internet “was the result of a breach in our security policy and not the result of any exploitation or vulnerability in any Cisco product or service.”
Marc Sachs, director of the Washington-based Internet Storm Center, a coalition of academic and private sector security specialists, said it had been well known in security circles that hackers may have used the Cisco theft to gain unauthorized entry to a number of computer networks.
“The Cisco intrusion was well documented last year,” Sachs said.
“The impact of these events is difficult to assess at this point. If it was all the work of a teenager, then no big deal other than it points to how easy it is to break in.
“On the other hand … if we caught a teenager breaking in, then likely there are many others who we have not caught and who might have done much more damage.”