Cyber attackers reportedly target Norwegian government agencies

A Norwegian government official confirmed Monday that twelve government ministries have been hit by a cyber attack. The PM’s office, foreign, defense, and justice ministries were not affected because they use a different IT platform.

“We identified a weakness in the platform of one of our suppliers. That weakness has now been shut,” Erik Hope, head of the government agency in charge of providing services to ministries, according to a report by news agency Reuters. The attack was identified due to ‘unusual’ traffic on the supplier’s platform, Hope said, declining to provide specifics. It was uncovered on July 12 and was being investigated by police.

“It is too early to say who is back this and what is the extent of the impact (of the attack),” he added.

Last week, Norwegian company TOMRA disclosed in its latest cyber update that it identified an extensive cyberattack against the company on July 16^th affecting some of the company’s data systems. “To contain the attack, selected services were disconnected. A team of internal and external resources is working around the clock to establish alternative solutions and to reestablish normal operations. Affected systems will remain offline until it is safe to operate them,” it added.

“We have successfully started the process of establishing digital services for our Reverse Vending Machines (RVMs) on a new, independent, cloud-based platform. We started contacting some customers today to get the first batch of RVMs in Europe back online,” TOMRA said. “The forensics team is starting to establish a picture of the cause and nature of the attack, but we continue to investigate to identify other potential points of entry and make sure we uncover the full nature of the attack. No new hostile activities have been detected,” it added.

TOMRA revealed that early Sunday morning (Jul. 16) TOMRA Security Operations found suspicious activity in its office network, linked to its Montreal location. “The threat actor gained access to some technical infrastructure systems, allowing them to traverse and access other sites. When this was discovered, TOMRA Security Operations started to proactively shut down services and disconnect sites to limit the attack.”

The update added that initial investigation discovered that this was an ongoing cyber-attack, gaining access through some TOMRA user accounts that were compromised. “TOMRA Security Operations has identified a number of methods and tools being used in the attack. In the current situation, we have found no trace of evidence that TOMRA clients, customers, partners or their systems are at risk from the attack. We see no evidence of encryption of data and have not received any ransom claims,” it added.

TOMRA said that it has engaged a global cyber response team from Deloitte, assisting in the ongoing investigation and response. The cyber response teams are working to migrate some services to new, cloud-based solutions and restore other systems back into a trusted state, and added that the company ‘will bring back services one by one as they are confirmed to be safe and secure.’

The attack on supply chains has been a phenomenon addressed by Jonathon Gordon, directing analyst at Takepoint Research, who wrote in the ‘Industrial Cybersecurity Technology, Solutions & Services – Buyer’s Guide 2023,’ that over the past 12 months, there have been plenty of ransomware attacks, such as Toyota‘s manufacturing plants, Dole‘s supply chains, U.K.’s South Staffs Water and Thames Water, to name a few. 

“Ransomware attacks targeting IT networks and computers are, by far, the biggest threat to industrial enterprises,” Gordon highlighted. “While malware and ransomware can specifically target OT systems, such as Stuxnet, Havex, Industroyer2, Triton, Pipedream, CosmicEnergy, and Snake, etc., IT-targeted malware that impacts industrial organizations such as EKANS, LockerGoga, and BlackEnergy3, etc., is more common.”

Commenting on the significance of these types of attacks, Nadir Izrael, CTO and co-founder of Armis, wrote in an emailed statement that attacks on government agencies worldwide are becoming more common and persistent. “This is due to the widespread disruption and trickling impacts potentially caused by these attacks on critical infrastructure and society overall, if successful. Geopolitical tensions are only exacerbating these threats to agencies, as cyberwarfare has proven to be a cost-effective method of attack for disrupting the everyday lives of civilians.

Izrael added that Armis continues to warn that these attacks should be seen as a wake-up call. 

“It’s critical that government agencies globally prioritise putting technology and procedures in place to proactively address this risk and reduce vulnerabilities to the ever-expanding attack surface,” according to Izrael. “This starts with visibility into the entire attack surface itself, along with real-time and contextual insights for keeping a constant pulse on what’s connected to the business network at any given time. If you cannot see and do not know that a vulnerability exists within your environment, then you cannot proactively mitigate this risk before a malicious actor exploits it.”

There have been a number of significant cyberattacks on Norwegian businesses and government entities over the past few years, Elliott Wilkes, chief technology officer at Advanced Cyber Defence Systems (ACDS), wrote in an emailed statement. “In 2021, the Norwegian Parliament’s email systems were attacked by groups with ties to China. In 2022, a pro-Russian hacker group known as Killnet launched a denial of service (DDoS) attack against Norwegian public service websites. Later in 2022, the Norwegian PM publicly named the threat posed by Russian to Norway’s government and energy sector in particular, due to Norway’s military and humanitarian assistance in Ukraine.”

“While details on the latest attack are limited, it does appear that business systems like email were affected for up to a dozen government agencies in Norway. This is yet another reminder of the urgency needed to assess and mitigate security vulnerabilities in suppliers, as this attack has been attributed to a weakness in an IT supplier,” according to Wilkes. 

He added that with the MOVEit attack earlier this year and countless others like the VMware attacks and SolarWinds, “it is crucial that organisations regularly review the permissions and privileges granted to systems and software they use. Limiting access, relying on the principles of least privilege and just-in-time access provisioning (versus having an admin account used every day for all non-admin functions) are some of the ways businesses and government teams can mitigate risks posed by vulnerabilities in suppliers’ tools.”

In January, Copper Mountain Mining issued an operational update on the ransomware attack that affected IT systems at its Copper Mountain Mine and corporate office in late December. The company confirmed that production has resumed and that through this downtime, it has been shipping copper concentrate to the Port of Vancouver from mine inventory and has maintained its planned shipping schedule.

Earlier this year, Europol supported the German, Dutch, and U.S. authorities in disrupting and taking down the infrastructure used by Hive ransomware affiliates, involving law enforcement authorities from a total of 13 countries. The agency supported the shutting down of servers and provided decryption tools to victims. Law enforcement teams were able to identify the decryption keys and shared them with many of the victims, helping them regain access to their data without paying ransomware to the cybercriminals.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.