Norwegian Police Pin Parliament Attack on Fancy Bear

Norwegian police have blamed Russian advanced persistent threat (APT) group Fancy Bear for the summer cyber-attack on Norway's single-chamber parliament, the Storting.

In what was described as "a significant attack" by the parliament's director, Marianne Andreassen, unauthorized individuals managed to gain access to the email accounts of several elected members of parliament and to some accounts belonging to parliament employees on August 24. 

On September 1, the Storting confirmed that a limited number of accounts had been compromised and that varying amounts of data had been downloaded by the attackers. Some of the compromised accounts belonged to members of Norway's main opposition party, the Labour Party.

Two weeks later, Norway's foreign minister, Ine Eriksen Soereide, laid the blame for the attack squarely at Russia's door. 

Speaking on October 13, Soereide said: “This is a serious event that hit our most important democratic institution. Based on the information available to the government, it is our assessment that Russia stood behind this activity."

The attack was reported to Norway's Police Security Service (PST) by the Storting on September 1, which subsequently launched an investigation.  

On December 8, the PST announced that a brute-force attack had been executed to break into user accounts of the Storting's email system and that "sensitive content has been extracted from some of the affected email accounts."

Investigators found that the actor tried to "move further into the Storting's computer systems" but was not successful.

Police concluded that the hit on the Storting was part of a larger campaign nationally and internationally that has been going on since at least 2019. 

"The analyses show that it is likely that the operation was carried out by the cyber actor referred to in open sources as APT28 and Fancy Bear," stated the PST.

"This actor is linked to Russia's military intelligence service GRU, more specifically their 85th Special Services Center (GTsSS)."

The PST said that the attack confirmed that insecure passwords used for private and business email accounts expose both individuals and the Storting as a parliamentary institution and that two-factor authentication and settings could prevent similar attacks from occurring.

What’s Hot on Infosecurity Magazine?