Cooperation between Norway’s security agencies planned following cyber attack on parliament

Norway is to implement a more robust plan to scale up its IT security infrastructure against the backdrop of increasingly malicious attacks from cyber space. This follows a high-profile cyber attack that targeted the email system at the Norwegian parliament (Storting) on 4 August.   

The Norwegian government accused Russia of launching the attack, but Moscow has denied any involvement.    

In the immediate aftermath of the attack, the Norwegian government called an emergency meeting with the heads of the country’s top security agencies. The meeting resulted in a plan to accelerate the development of an enhanced national IT infrastructure incorporating an embedded early warning system and defence shield to protect the IT systems of public and private organisations.

“The digital domain makes it easier for foreign states to deploy non-military means in an entirely different manner than has been the case,” said Monica Mæland, Norway’s justice minister. “We need to know more about the exact  purpose of the attack on the Storting and whether it was part of a specific or broader state-run espionage operation.”

The pivotal agencies at the post-Storting attack emergency meeting included the National Security Authority (Nasjonal Sikkerhets Myndighet), the National Cyber Security Centre (Nasjonalt Cyber Sikkerhets Senter), the Norwegian Police Security Service (Politiets Sikkerhetstjeneste) and the Norwegian Intelligence Service (E-tjenesten).

The Norwegian government’s strengthened cyber protection plan involves fast-tracking collaboration between national security agencies tasked with cyber defence and the private sector. The objective is to create a collaborative platform to develop improved early warning systems, deterrents and defences against a wide range of common and unconventional cyber threats and attacks on critical IT infrastructure.

A central feature of the new plan is closer cooperation between the Norwegian Intelligence Service¸ the Norwegian Armed Forces’ military intelligence wing and the National Cyber Security Centre to develop a broad range of defensive and offensive options.

“The combined resources of Norway’s security and intelligence services will cooperate in an unprecedented way to deal with cyber threats and attacks at a national level,” said Ine Eriksen Søreide, Norway’s foreign minister.

Naming Russia as the aggressor in the August attack on the Storting, Søreide said the accusation was based on preliminary intelligence provided by Norway’s national security agencies and leading cyber defence experts. 

“Based on the intelligence that is available to the government, it is our assessment that Russia was behind the attack on Norway’s most important democratic institution,” said Søreide.

Denying any involvement in the attack on the Storting, Moscow described the accusation as a “serious and deliberate provocation” by Norway that threatened to complicate existing and future bilateral political, trade and security relations. 

“Norway has provided no evidence of involvement by Russia,” said Konstantin Kosachev, chairman of the Russian Federation Council’s foreign affairs committee. “This accusation lacks concrete evidence. If evidence exists, it should be examined by experts from our two countries. We received no such invitation from Norway.”

The cyber attack on the Storting targeted the email accounts of MPs and senior government officials. Email accounts breached included those belonging to MPs both in the ruling Conservative (Høyre) and opposition Labour (Arbeiderpartiet) parties. Email messages and data from several compromised accounts was downloaded in the cyber attack.

The full extent of the email account violation has not been publicly disclosed by Norwegian authorities. The hack took place in the same month that Norway deported a Russian Embassy diplomat on suspicion of espionage-related activities. Russia retaliated by expelling a senior diplomat at the Norwegian Embassy in Moscow.   

“The parliament’s website was not compromised in the attack and the IT security systems that protect its integrity performed well,” said Marianne Andreassen, the Storting’s administrative director. “Our security systems had detected anomalies in the days leading up to the cyber attack, and we implemented additional measures to make our defences more effective.”

The primary role in investigating the Storting cyber attack was handed to the Joint Cyber Coordination Center (Felles Cyber Koordinerings Senter), which can draw on security experts from the National Security Authority, the Police Security Service, the Intelligence Service and Kripos, the national criminal investigation service. Kripos is Norway’s chief incident management coordinating agency for significant cyber attacks against critical national IT infrastructure.

The national security role played by the Joint Cyber Coordination Center will be elevated under the government’s reinforced cyber security plan. Also, the agency’s capacity to help improve Norway’s national capability to detect and withstand serious cyber attacks will be strengthened. Resources available to the organisation will be improved to deliver a more in-depth strategic analysis capability and help the agency maintain a comprehensive threat and risk assessment expertise to deal with cyber threats.

An annual threat assessment released by the Police Security Service in February identified Russia and China as the two foreign states that posed “a persistent and long-term security threat to Norway” and to the IT platforms and computer networks of public and private enterprises. The assessment warned government organisations and private companies about the potential for a higher rate of so-called advanced persistent cyber threats from “foreign state-controlled bad actors”.

The cyber attack on the Storting’s email system was followed on 2 September by a similarly crafted assault the municipality of Hedmark’s email system.

The Hedmark cyber attack left 10,000 municipal employees without access to their email accounts, which run on servers managed by IT company Hedmark IKT. The severity of the attack was compounded by the regional importance of Hedmark’s email account system, which is used by seven neighbouring municipalities in southeastern Norway – Hamar, Stange, Kongsvinger, Sør-Odal, Løten, Nord-Odal and Grue.

A post-attack forensic analysis conducted by Hedmark IKT found that the attackers had first gained access to a number of email accounts and then made virus-infected attachments to send to the email accounts of work colleagues employed by Hedmark municipality.

Hedmark IKT minimised the risk exposure to the local authority by shutting down all incoming mail to municipal staff accounts. Staff received SMS and email alerts via phone and backup accounts warning about the hack, and were instructed to delete all suspicious incoming emails and change their account passwords.

“There is no definitive evidence that the attacks on Hedmark’s and the Storting’s email systems are related, or were carried out by the same bad actor,” said Edvard Lysne, CEO of Hedmark IKT. “What we do know is that the attacks came from several foreign locations. The nature of the attack on Hedmark was much more sophisticated than anything we have seen or experienced before.”

The escalating risks posed to critical IT infrastructure topped the agenda when Nordic foreign ministers met on the Danish island of Bornholm on 17 September. The meeting, which focused on regional and international security policy, approved a plan to develop joint Nordic efforts to enhance capabilities, resilience and preparedness to counter cyber and hybrid threats through strengthened multilateral cooperation.