Cyber Incident Victim: Police Security Service
Date:
Feb 2017
Location:
Norway
Summary
Norwegian institutions, including the Police Security Service, were targeted in a spear-phishing campaign attributed to the Russian-linked hacking group "Cozy Bear," which is associated with the FSB. The attacks compromised email accounts belonging to the Labour Party, foreign and defense ministries, a radiation protection authority, and an educational institution. While no classified information was reportedly stolen, officials characterized the incident as a serious assault on democratic infrastructure. The PST received prior warnings from an unnamed foreign partner about these targeted email server attacks. The breach occurred amid heightened bilateral tensions following the deployment of U.S. military personnel to Norway, marking the first foreign troop presence there since World War II.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2017, Norway’s Police Security Service (PST) disclosed a cyberattack targeting nine email accounts across multiple government and institutional entities. The breach affected the Labour Party, the Foreign Ministry, the Defense Ministry, the Radiation Protection Authority, an unidentified college, and PST itself. Security officials attributed the attack to "Cozy Bear," a hacking group linked to Russia’s Federal Security Service (FSB), which U.S. authorities had previously implicated in the 2016 Democratic National Committee breach. The attackers employed spear-phishing tactics, attempting to extract sensitive credentials or financial data through deceptive emails. PST Section Chief Arne Christian Haugstøyl confirmed the incident to Norwegian media, noting that no classified information had been compromised. Prime Minister Erna Solberg characterized the hacking as a "serious attack on our democratic institutions," emphasizing its political significance despite the absence of data exfiltration. PST spokesman Martin Berntsen revealed that a foreign intelligence agency had alerted Norway earlier in 2017 about "targeted attacks" on email servers, though the partner nation remained unnamed. The breach highlighted vulnerabilities in non-classified communication channels, with attackers focusing on entities central to national security and governance.
The incident occurred amid heightened tensions between Norway and Russia following the January 2017 deployment of 300 U.S. Marines to Norway, the first permanent foreign troop presence there since World War II. PST’s public attribution to a Russian-aligned group marked a rare direct accusation by Norwegian authorities, reflecting broader geopolitical strains. Security officials confirmed the attackers’ methodology aligned with Cozy Bear’s historical operations, including precision targeting of high-value institutional accounts. While the immediate operational impact was limited due to the failure to access classified systems, the breach underscored persistent espionage threats to democratic processes and civil infrastructure. Norwegian authorities did not disclose specific remediation steps but emphasized collaboration with international partners to monitor and mitigate further intrusions. The event reinforced concerns about state-sponsored cyber campaigns targeting political organizations and defense networks during periods of diplomatic friction.