Cyber Incident Victim: Arbeiderpartiet
Date:
Jan 2017
Location:
Norway
Summary
Russian-linked hackers, believed to be the "Cozy Bear" group associated with the FSB, targeted email accounts of Norway's Labour Party, foreign and defense ministries, security services, and other government agencies through spear-phishing attacks. The Norwegian Security Service confirmed no classified information was compromised, though officials characterized the breach as a serious assault on democratic institutions. The incident occurred amid heightened tensions between Norway and Russia following the deployment of U.S. Marines to Norwegian territory, with intelligence indicating foreign warnings about the email server attacks prior to their execution.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 4 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2017, Norway’s Police Security Service (PST) disclosed a cyberattack targeting nine email accounts across multiple government and institutional entities. The affected organizations included the Labour Party, the Ministry of Foreign Affairs, the Ministry of Defense, the PST itself, the Radiation Protection Authority, and an unidentified college. Security officials attributed the attack to a Russia-linked hacking group known as "Cozy Bear," which U.S. authorities had previously implicated in the 2016 breach of Democratic National Committee computers. The attackers employed spear-phishing techniques, attempting to extract sensitive information such as usernames, passwords, or financial data from targeted individuals. PST section chief Arne Christian Haugstøyl confirmed the scope of the compromise to Norwegian media outlet TV2, though no classified materials were confirmed stolen. Prime Minister Erna Solberg characterized the incident as a serious attack on Norway’s democratic institutions, emphasizing its political significance.
The PST received prior warnings about the attacks from an unnamed foreign partner agency earlier in 2017, specifically noting threats to email servers. PST spokesman Martin Berntsen confirmed this alert to the Norwegian tabloid VG but did not disclose further details about the foreign entity or the exact timing of the advisory. The incident occurred amid heightened tensions between Norway and Russia following the arrival of 300 U.S. Marines in Norway—the first permanent deployment of foreign troops there since World War II. Reuters reported the Marines, stationed from Camp Lejeune in North Carolina, were scheduled for a year-long deployment with rotations after six months. Norwegian authorities did not publicly outline specific technical containment measures or forensic findings beyond confirming the attribution and operational method. No additional consequences, such as data leaks or disruptions to government functions, were disclosed in the available reporting.