Cyber Incident Victim: Forsvarsdepartementet
Date:
Feb 2017
Location:
Norway
Summary
Norwegian government and political entities, including the defense ministry, foreign ministry, Labour party, and security agencies, were targeted in a spear-phishing campaign attributed to the Russia-linked hacking group Cozy Bear, associated with the FSB. The attackers compromised nine email accounts but did not access classified material. Security officials characterized the incident as a serious attack on democratic institutions, noting similarities to previous operations against the U.S. Democratic National Committee. The breach occurred amid heightened tensions between Norway and Russia following the deployment of U.S. Marines to Norwegian territory. A foreign intelligence partner had previously alerted Norwegian authorities about the targeted email server attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 3, 2017, Norway’s Police Security Service (PST) disclosed that nine email accounts across multiple government and institutional entities had been compromised by hackers. The targeted organizations included the Norwegian Defence Ministry, Foreign Ministry, Labour Party, Police Security Service itself, Radiation Protection Authority, and an unidentified college. Attackers employed spear-phishing techniques to harvest sensitive credentials such as usernames and passwords. PST attributed the campaign to the Russia-linked advanced persistent threat group known as "Cozy Bear," which U.S. authorities had previously implicated in the 2016 Democratic National Committee breach. This group is associated with the Russian Federal Security Service (FSB). Norwegian security officials confirmed no classified materials were exfiltrated during the intrusions. PST Section Chief Arne Christian Haugstøyl verified the scope of affected entities during interviews with Norwegian media outlet TV2. The attacks were detected after PST received warnings earlier in 2017 from an unnamed foreign intelligence partner about targeted operations against Norwegian email servers.
Prime Minister Erna Solberg characterized the incident as a severe assault on Norway’s democratic institutions during a televised statement. PST spokesman Martin Berntsen confirmed to VG newspaper that the breaches exclusively targeted email systems without compromising other infrastructure. The incident occurred amid heightened bilateral tensions following Norway’s January 2017 deployment of 300 U.S. Marines to its territory—the first permanent foreign troop presence since World War II. Russian officials had publicly opposed the military arrangement, citing escalatory regional security concerns. Norwegian authorities did not disclose technical remediation steps but emphasized continuous coordination with international partners to monitor threats. No disruptive operational impacts or data leaks were formally reported by the compromised entities following the disclosure.