Cyber Incident Victim: Danske Bank
Date:
Jul 2014
Location:
Norway
Summary
A distributed denial-of-service (DDoS) attack targeted multiple Norwegian financial institutions, including Danske Bank, alongside telecommunications provider Telenor and other major banks and insurers. Attackers exploited a WordPress security vulnerability and other undisclosed methods to disrupt services, causing partial website outages and customer login difficulties for over an hour. While a message attributed to Anonymous Norway claimed responsibility to raise awareness about inadequate cybersecurity defenses, the group later denied involvement via social media, blaming unskilled actors. The incident highlighted the ease of executing such attacks using rented botnets, impacting several central finance sector players simultaneously.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 8, 2014, distributed denial-of-service (DDoS) attacks targeted multiple major Norwegian financial institutions and businesses, including Danske Bank, DNB, Norges Bank, Sparebank 1, Storebrand, Gjensidige, Nordea, and telecommunications provider Telenor. The attacks commenced in the morning, with Norway’s largest financial services group, DNB, reporting partial website downtime and customer login difficulties due to junk traffic overwhelming its systems. These disruptions lasted slightly over an hour for DNB but continued throughout the day as attackers expanded their focus to additional entities. IT services provider Evry, which delivered approximately one-third of Norway’s IT infrastructure, confirmed its systems and customers were affected, noting this marked the first coordinated attack against so many central finance sector players simultaneously. Attackers exploited a known security vulnerability in WordPress to generate malicious traffic toward victim servers, though Evry acknowledged other unspecified methods were also utilized without disclosing technical details.
Norwegian media outlet Dagens Næringsliv received a message from individuals claiming to represent "Anonymous Norway," attributing the attacks to their collective and citing motivations to "wake up the community" about inadequate defenses against escalating IT security threats. The message included Anonymous’ signature rhetoric: "We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us." However, the Twitter account @AnonymousNorway later disavowed responsibility, asserting "script kiddies" without advanced tools conducted the attacks. National Security Authority (NSM) technical director Roar Thon corroborated the low technical barrier to executing such attacks, stating they required only "a credit card and the will to destroy" by renting botnet services. While the attacks caused temporary operational disruptions—including Norges Bank’s initial unawareness of its own website outage—no data breaches, financial losses, or specific motivations beyond general warnings about cybersecurity preparedness were confirmed. The incident highlighted the vulnerability of critical financial infrastructure to readily available attack methods and the challenges of attributing actions to decentralized groups.