Cyber Incident Victim: Breivika Eiendom
Date:
Apr 2025
Location:
Norway
Summary
Breivika Eiendom discovered that hackers had breached the control systems of the Lake Risevatnet dam, forcing the water valve to open fully and remain open for several hours before detection. The unauthorized release added approximately 497 litres per second to the river flow, though officials said the volume remained well below the riverbed’s capacity of up to 20,000 litres per second. Authorities including the National Security Authority, the Norwegian Water Resources and Energy Directorate, and Kripos were notified, and an investigation is underway. Officials suspect the breach resulted from a weak password on the valve’s web‑accessible control panel, which allowed attackers to bypass authentication and gain direct access to the operational technology environment.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2025 unidentified hackers breached the control systems of the Lake Risevatnet dam located near the city of Svelgen in Southwest Norway, also referenced as Risevatnet in Bremanger. The breach was discovered by the dam’s owner, Breivika Eiendom, on April 7 2025. Upon discovery the owner reported the incident to the relevant Norwegian authorities. The National Security Authority (NSM), the Norwegian Water Resources and Energy Directorate (NVE), and the Kripos special agency of the Norwegian Police Service were alerted on April 10 2025, and an investigation into the incident was initiated.
The attackers gained access through the dam’s web‑accessible control panel, which was protected by a weak password according to speculation by Breivika technical manager Bjarte Steinhovden. By exploiting this vulnerability the attackers bypassed authentication controls and obtained direct access to the operational technology environment. Once inside they opened the dam’s water valve fully, causing the valve to remain in the open position for approximately four hours before the unauthorized activity was detected.
During the four‑hour period the valve released an additional 497 litres of water per second. Officials from Energiteknikk noted that this flow barely exceeded the dam’s minimum requirement and that the riverbed could accommodate a much larger volume, up to 20 000 litres per second, indicating that the incident did not pose a danger to downstream areas. The facility primarily serves a fish farm and is not connected to Norway’s power grid. The case was formally reported to Kripos as part of the official response.
The article also referenced that officials consider the incident a reminder of how basic security failures, such as weak credentials, can compromise vital systems, and highlighted the importance of remote access controls, proper authentication, clear ownership of cyber‑physical interfaces, and sufficient monitoring for critical infrastructure. It further noted that similar intrusions into essential services have occurred in the past, citing April 2023 cyberattacks on Israeli irrigation systems believed to be part of the OpIsrael campaign. The investigation by NSM, NVE, and Kripos remains ongoing.