Cyber Incident Victim: Norway

A data breach occurred at the Departementenes sikkerhets- og serviceorganisasjon (DSS) on or around July 24, 2023. This cyber attack was executed by exploiting a zero-day vulnerability. The Norwegian National Security Authority (NSM) and DSS publicly disclosed this incident during a press conference held on Monday, July 24, 2023. The exploitation of this specific vulnerability represented the first known instance of its discovery and use, which initially occurred within Norway. The vulnerability itself was identified as CVE-2023-35078, an actively exploited zero-day affecting the product Ivanti Endpoint Manager (EPMM), which was previously known as MobileIron Core. This vulnerability impacted a range of versions of the Ivanti Endpoint Manager software. A zero-day vulnerability constitutes an opportunity for a threat actor to exploit a weakness that the software producer and its users are not previously aware of, making this type of vulnerability particularly difficult to defend against.

Parallel to the incident handling efforts at DSS, the NSM, through its National Cyber Security Centre (NCSC), engaged in ongoing dialogue with the software vendor and other collaborative partners. The primary objective of this engagement was to contribute to the effort of closing the vulnerability within the DSS systems. Simultaneously, a series of measures were undertaken to reduce and minimize the risk that the same vulnerability would be exploited elsewhere in Norway and throughout the rest of the world. The development and release of an update by the software vendor successfully patched the vulnerability in the DSS systems. However, for security reasons, the NSM could not publicly name the specific software that was exploited at the time of the initial press conference. The decision to withhold the name of the software and the specific vulnerability details was a calculated security measure.

The rationale behind withholding immediate public disclosure was that the vulnerability was unique and had been discovered for the very first time in Norway. Releasing information about the vulnerability prematurely could have contributed to its misuse against other organizations within Norway and across the globe. The timing of the public announcement was strategically chosen to coincide with the widespread availability of the necessary security update, making it defensible to announce the nature of the vulnerability. Following the press conference, the National Cyber Security Centre within NSM issued an alert concerning the vulnerability on the evening of July 24th. This alert served to formally notify the wider public and relevant stakeholders about the actively exploited zero-day, CVE-2023-35078, in the Ivanti Endpoint Manager product.

Subsequent to the discovery of the vulnerability, the NSM actively worked to notify other Norwegian entities that were using the same software. The NCSC specifically alerted all known system owners in Norway who had MobileIron Core available on the internet about the available security update. The official recommendation from the NCSC was that these security updates should be installed immediately to mitigate the threat. In addition to notifying domestic system owners, the NSM maintained a continuous dialogue with the software producer, Ivanti, and other national and international cooperative partners. This collaborative approach was essential in managing the broader implications of the incident and ensuring a coordinated response to the threat.

The incident highlights the significant challenges associated with defending against zero-day vulnerabilities, as they are by definition unknown to defenders prior to their initial exploitation. The attack on DSS serves as a prominent case study in how a state-level agency can be targeted through such an exploit. The response involved a multi-faceted approach that combined immediate incident containment at the victim organization with broader, national and international efforts to understand the vulnerability, develop a patch, and disseminate that patch to all affected users before the threat actors could widen their campaign. The successful deployment of the vendor-provided update was the key action that closed the vulnerability within the compromised DSS systems and protected other potential targets.

The public disclosure process was managed carefully to balance the need for transparency with the imperative to prevent further damage. The press conference on July 24th marked the transition from a period of confidential handling to a public awareness phase. The director of the National Security Authority, Sofie Nystrøm, explained the reasoning for the delayed public identification of the software, emphasizing that early disclosure could have led to widespread misuse before a remediation was available. The publication of the CVE identifier, CVE-2023-35078, and the affected product name, Ivanti Endpoint Manager (EPMM), provided the necessary details for the global cybersecurity community to take appropriate action. This incident underscores the critical role of national cybersecurity authorities in coordinating the response to sophisticated cyber threats that affect both governmental and private sector entities. The work of the NSM and its NCSC involved not only technical response but also strategic communication to manage the narrative and ensure an effective and secure flow of information to all relevant parties.