Cyber Incident Victim: Norwegian Ministry of Foreign Affairs

On or around February 3, 2017, Norway’s Police Security Service (PST) disclosed that nine email accounts across multiple government and institutional entities had been compromised by hackers. The targeted organizations included the Norwegian Ministry of Foreign Affairs, Ministry of Defense, Labour Party, PST itself, the Radiation Protection Authority, and an unidentified college. Security officials attributed the attacks to a Russia-linked group known as "Cozy Bear," which U.S. authorities had previously implicated in the 2016 Democratic National Committee breach. The attackers employed spear-phishing techniques to harvest sensitive credentials, though PST confirmed no classified information was exfiltrated. Investigations revealed the intrusions began earlier in 2017, with PST receiving warnings from an unnamed foreign partner about targeted email server attacks prior to the public disclosure.

Prime Minister Erna Solberg characterized the incident as "a serious attack on our democratic institutions," emphasizing its political significance despite the absence of classified data loss. The breach occurred amid heightened bilateral tensions following the January 2017 deployment of 300 U.S. Marines to Norway—the first foreign troop presence there since World War II—which drew criticism from Russia. PST spokesman Martin Berntsen confirmed the agency’s forensic review but did not disclose technical specifics of the compromised systems or additional mitigation measures. No disruptive follow-on activities, such as data leaks or ransomware, were reported following the credential theft. The incident underscored persistent vulnerabilities in governmental email infrastructures to socially engineered attacks by state-aligned threat actors.