Cyber Incident Victim: Norfund
Date:
Mar 2020
Location:
Norway
Summary
Fraudsters executed a sophisticated business email compromise attack against Norway's state investment fund, infiltrating its email systems to monitor communications and identify money transfer protocols over several months. The attackers impersonated an authorized employee using a forged organizational email address, falsifying payment details to divert a $10 million loan intended for a Cambodian microfinance institution to a fraudulent account in Mexico. They delayed discovery by sending deceptive correspondence to the legitimate recipient citing pandemic-related transfer delays, concealing the theft for over a month until a subsequent fraudulent attempt triggered internal detection. The breach exposed critical vulnerabilities in digital security practices and transfer verification processes, resulting in unrecovered financial losses and prompting immediate systemic reforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Fraudsters executed a sophisticated business email compromise (BEC) attack against Norfund, Norway’s state-owned investment fund, resulting in the theft of $10 million in March 2020. The attackers first compromised Norfund’s email systems, enabling them to monitor internal communications and identify personnel authorized to process large financial transactions. Over several months, they studied organizational workflows and communication patterns to craft credible impersonations. The scammers created a fraudulent Norfund email address mimicking an employee with wire transfer authority and manipulated correspondence with a Cambodian microfinance institution expecting a legitimate loan. They altered payment instructions to redirect the $10 million transfer to an account in Mexico under their control instead of the intended recipient in Cambodia. To delay detection, the attackers sent an email to the Cambodian beneficiary falsely attributing payment delays to COVID-19 disruptions in Norway. The fraudulent transfer occurred on March 16, but Norfund remained unaware until April 30 when the attackers attempted a second transfer that triggered internal detection mechanisms.
Norfund publicly disclosed the incident on April 30, 2020, acknowledging the theft as the result of an "advanced data breach." CEO Tellef Thorleifsson described the operation as "wonderfully done" but emphasized systemic failures in the organization’s cybersecurity protocols and operational routines. The month-long delay in discovery prevented any possibility of recovering the stolen funds, as the transaction could no longer be intercepted. Norfund initiated immediate corrective actions to strengthen its systems, though specific technical or procedural changes were not detailed in public statements. The incident impacted Norfund’s operations as a development finance institution owned by the Norwegian Ministry of Foreign Affairs, which invests state budget allocations into poverty reduction initiatives across Central America, Southeast Asia, and Sub-Saharan Africa. No secondary consequences, such as regulatory penalties or additional compromised transactions beyond the two attempts, were reported in the available sources.