Cyber Incident Victim: Extend AS
Date:
Jul 2025
Location:
Norway
Summary
Extend AS experienced a ransomware attack that compromised its municipal clients, with four production environments and several test bases affected. Stolen data included procedures, incident reports, contingency plans and vulnerability analyses, and the provider expects the information to appear on the dark web soon. The municipalities of Kristiansand, Drammen and Ringsaker confirmed they were impacted, noting that the breach involved internal, non‑public information but appeared to contain limited sensitive data. All affected customers using the EQS quality system were reportedly affected, and the incident will be reported to police.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 7 2025 NRK reported that Extend AS had suffered a ransomware attack that was discovered by the vendor on Thursday and communicated to customers on Friday. The attack affected the data services Extend provides to several Norwegian municipalities, with the company’s daily leader Christine Våpenstad Holm confirming that four municipalities were impacted in their production environments and that additional test environments used for development and training were also compromised. Kristiansand, Drammen and Ringsaker municipalities publicly acknowledged they were among the affected customers, noting that they use Extend’s EQS quality management system. The vendor indicated that all customers using the EQS platform were affected in a similar manner.
According to the report, the attackers exfiltrated information stored in the municipalities’ systems, which could include operational routines, incident deviation reports, emergency preparedness plans and vulnerability analyses. Extend AS stated that it expects the stolen data to be published on the dark web in the coming weeks and said the incident would be reported to the police. Municipal officials from Ringsaker said that, as of the time of the article, no ransom demand had been received, but they warned that such a demand could still emerge and that it was unclear whether it would target the municipality or the supplier. Representatives from Kristiansand described the exposed material as largely internal, non‑public information, noting that the volume of sensitive data appeared limited.
In response, the affected municipalities have begun internal reviews to determine the full scope of the data loss. Ringsaker’s municipal chief Håvard Haug said they are working to obtain a complete overview of which data may have been lost and to ensure that risk assessments and emergency plans are not further compromised. Drammen’s officials held multiple meetings on the day of the report to discuss the incident and coordinate with the vendor. Kristiansand’s emergency preparedness chief Sigurd Paulsen announced a forthcoming meeting to inventory the specific information held in the EQS system and to evaluate any potential consequences for the municipality.