Russian Hacker Group 'Fancy Bear' Accused Of Cyberattack On Norwegian Parliament

December 08, 2020

An investigation by Norway's Police Security Service (PST) has concluded that a cyberattack and data breach of the country's parliament was likely carried out by Fancy Bear, a hacker group that has ties to Russian military intelligence.

In a December 8 press release announcing the findings of its investigation into the August attack, the PST said there was not enough evidence to press charges relating to damage to Norway's national interests.

Norwegian officials had previously announced that a "vast" cyberattack on August 24 had gained access to the e-mails of some parliamentarians and parliamentary employees, although the identity of the attackers was not revealed. Norwegian Foreign Minister Ine Eriksen Soreide subsequently accused Russia of being behind the attack against the NATO-member Scandinavian country.

The investigation in the attack bolstered that allegation, with the PST saying the attack was part of a broader campaign domestically and internationally "that has been going on at least since 2019" and "was carried out by the cyber actor referred to in open sources as APT28 or Fancy Bear."

APT28, also known as Fancy Bear, is a Russian hacker group that is believed to be associated with Russia's GRU military intelligence agency that has been blamed for carrying out numerous cyberattacks on Western governments, think tanks, and corporations in recent years.

Fancy Bear is perhaps best known for interference in the 2016 U.S. presidential election, and was recently accused of targeting both the Joe Biden and Donald Trump campaigns ahead of this year's U.S. election.

In its press statement, the PST said that Fancy Bear was specifically linked to the GRU's 85th Main Special Services Center, whose officers were recently implicated in taking part in a 2015 cyberattack against the German Bundestag.

The PST investigation also provided information about the scope of the cyberattack, including that the perpetrators obtained "valid usernames and passwords" using brute-force attacks on a "high number" of e-mail accounts used by the parliament. Brute-force attacks involve hackers submitting numerous passwords in an effort to eventually guess the correct combination.

The investigation also found that after passwords were obtained, the attackers were able to log into a smaller number of accounts and that "sensitive content" had been extracted.

The attackers were not successful in their attempts to further breach parliament's computer systems, according to the analysis of the breach, but the PST said that it could not go into further detail due to the sensitivity of the matter.

The investigation revealed vulnerabilities in how insecure passwords used "in both work and private contexts" exposed both individuals and parliament as a whole, and showed the need for better security mechanisms such as two-factor authentication, according to the PST.

The Russian Embassy in Norway, which in October called Norwegian Foreign Minister Eriksen Soreide's allegations "unacceptable" and a "provocation," has not commented on the results of the PST's investigation.

Spy cases involving both Russia and Norway, which share a 200-kilometer border in the Far North, have soured relations between the countries in recent years, and Norway's intelligence agency regularly identifies Russia as one of its main espionage threats.

Following Eriksen Soreide's accusation, the Russian Embassy in Norway said that Moscow had notified Oslo about malicious online activities originating in Norway on six occasions in 2019 and four times in 2020.

In a tit-for-tat row that played out earlier this year, Moscow and Oslo expelled one diplomat each after a Norwegian citizen was jailed in Norway on suspicion of spying for Russia. In 2019, a retired Norwegian border inspector was sentenced in Russia to 14 years in prison after being accused of collecting information about Russian nuclear submarines for Norwegian intelligence. The man was later released as part of a spy swap.

Russia has repeatedly denied any involvement in any cyberattacks, including relating to the 2016 U.S. election.