Cyber Incident Victim: Haugesund Kommunale Pensjonskasse
Date:
Aug 2022
Location:
Norway
Summary
A Norwegian municipal pension fund thwarted a sophisticated cyber attack after hackers compromised its CEO's credentials through a phishing campaign, bypassing two-factor authentication using the EvilProxy tool to steal session tokens. Suspicious U.S.-based login attempts targeting the CEO's account prompted immediate action, including password resets and confiscation of devices, which prevented fraudulent international transfer requests sent to the CFO. While attackers aimed to initiate large financial transactions, ICT specialists and external cybersecurity teams intervened before any funds were stolen, though the perpetrators' identities remained undetermined.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late August 2022, the ICT department of Haugesund municipality detected unauthorized access to the systems of Haugesund Kommunale Pensjonskasse (HKP), a Norwegian municipal pension fund managing approximately NOK 3.5 billion (€322 million). The initial breach indicator was a suspicious login attempt using CEO Heidi Sunde’s credentials originating from the United States, despite Sunde not being present there. ICT Manager Eirik Østensjø’s team immediately changed Sunde’s password, which successfully blocked subsequent login attempts from the same source. The following day, HKP’s chief financial officer received an email appearing to originate from Sunde instructing the preparation of an international money transfer. This directive raised immediate concerns given the prior unauthorized access incident, prompting the ICT team to escalate their response. They confiscated all computer and telephone equipment used by the CEO and engaged Atea, their Nordic and Baltic-region IT infrastructure provider, for forensic analysis. Preliminary assessments confirmed Sunde had fallen victim to a phishing attack, though the exact vector—whether email or malicious website interaction—remained unclear.
Investigations by Atea’s cyber specialists revealed attackers used the phishing tool EvilProxy to compromise the CEO’s session token, a unique encrypted identifier enabling them to bypass HKP’s two-factor authentication system. This method, while theoretically understood, was reportedly unprecedented in Norway according to Østensjø. The attackers’ login attempts originated from U.S.-based IP addresses but occurred during European business hours, complicating attribution efforts. No funds were exfiltrated due to the timely detection and containment measures. HKP’s existing security protocols, including multi-factor authentication, were insufficient to prevent the initial breach but facilitated rapid incident response. Post-incident analyses could not identify the responsible individuals or groups. Sunde publicly characterized the event as a “terrifying” near-miss emphasizing the critical importance of robust security routines and reliable ICT partnerships in safeguarding financial assets. The incident underscored advanced persistent threats facing financial institutions despite layered defenses.