Around two weeks ago, a cyber attack struck a significant blow to the Norwegian government, affecting a total of 12 government ministries. In response to this alarming situation, a crisis staff was promptly assembled. The government minister in charge of handling the response acknowledged the severity of the attack, deeming it “extremely serious.” However, it was emphasized that despite the challenges posed by the attack, the government’s day-to-day operations continue to function “as normal.”
“We identified a weakness in the platform of one of our suppliers. That weakness has now been shut,” Erik Hope, head of the government agency in charge of providing services to ministries, told a news conference.
The Norwegian National Security Authority (NSM) has officially verified that a group of attackers exploited a zero-day vulnerability in Ivanti’s Endpoint Manager Mobile (EPMM) solution to successfully infiltrate a software platform utilized by 12 ministries within the country.
In a recent statement, the Norwegian Security and Service Organization (DSS) clarified that the cyberattack, which occurred on Monday, had no impact on critical institutions such as Norway’s Prime Minister’s Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs.
We reached out to several cybersecurity experts to get their thoughts on the news.
Erich Kron, security awareness advocate at KnowBe4:
“The impact that supply chain can have on an organisation continues to be demonstrated through attacks such as this one. The fact that this was caught by identifying unusual traffic on the supplier’s platform reiterates the importance of monitoring traffic as opposed to simply relying on the other party for security or to monitor for unusual traffic themselves. Using outside vendors is almost a certainty in our modern, globally connected world, but controls need to be in place to ensure that issues impacting them, or their services do not cause harm to their customers and those using their platforms.”
Elliott Wilkes, chief technology officer at Advanced Cyber Defence Systems (ACDS):
“There have been a number of significant cyberattacks on Norwegian businesses and government entities over the past few years. In 2021, the Norwegian Parliament’s email systems were attacked by groups with ties to China. In 2022, a pro-Russian hacker group known as Killnet launched a denial of service (DDoS) attack against Norwegian public service websites. Later in 2022, the Norwegian PM publicly named the threat posed by Russian to Norway’s government and energy sector in particular, due to Norway’s military and humanitarian assistance in Ukraine.
“While details on the latest attack are limited, it does appear that business systems like email were affected for up to a dozen government agencies in Norway. This is yet another reminder of the urgency needed to assess and mitigate security vulnerabilities in suppliers, as this attack has been attributed to a weakness in an IT supplier. With the MOVEit attack earlier this year and countless others like the VMware attacks and SolarWinds, it is crucial that organisations regularly review the permissions and privileges granted to systems and software they use. Limiting access, relying on the principles of least privilege and just-in-time access provisioning (versus having an admin account used every day for all non-admin functions) are some of the ways businesses and government teams can mitigate risks posed by vulnerabilities in suppliers’ tools.”
Mark Watkinson, Head of Market Insights at Adarma:
“In our increasingly interconnected world, supply chain attacks are a significant concern for organisations and their customers. Cybercriminals take advantage of the trust between vendors and clients, making these types of attacks appealing for maximum impact. Cybercriminals are increasingly targeting third-party vendors to infiltrate multiple downstream clients through a single-entry point. As organisations continue to expand their supply chains and work with an increasing number of third-party entities, they unintentionally expose themselves to greater risks.
“Organisations must understand their attack surface to manage this exposure by examining the cyber resilience of the third parties they collaborate with. Implementing a thorough vetting process for vendors and having a robust incident response plan are crucial steps in proactive safeguarding. Effective communication during incidents is also essential to minimise damage and maintain stakeholder trust. Regardless of business size or industry, prioritising cybersecurity and taking proactive measures is necessary to protect operations and customers from evolving threats posed by third-party and extended supply chains.”
Chris Hauk, consumer privacy champion at Pixel Privacy:
“This incident emphasises how important it is for organisations to not only keep their own systems and software updated to plug security holes, but to do regular supply chain checks to make sure all other organisations in the chain are also performing regular updates and security checks on a regular basis. I do admire how the government official, Eric Hope, didn’t offer up the usual platitudes we hear after data breaches. Instead he laid it out as “we screwed up, and now it’s fixed.” That’s refreshing.”
Andrea Napoli, Director of Product Marketing Europe at Cato Networks:
“This attack reinforces once again the importance of developing a robust security governance framework that outlines the roles, responsibilities, and processes necessary to achieve and maintain a correct cybersecurity posture. This is why the European Union mandates companies, operators of essential services (OES) and digital service providers (DSPs) across various sectors, to adhere by 2024 to a more stringent set of requirements as set-out in NIS2 directives.
“NIS2 places a significant emphasis on assessing the vulnerabilities of their suppliers, service providers, and even data storage providers. NIS2 mandates that companies thoroughly comprehend the potential risks involved, establish close relationships with their partners, and consistently update their security measures to ensure the utmost protection. Failing to comply with NIS2 regulations, will result in fines up to £17 million in the UK and €10 million or 2% of worldwide turnover in the EU.
“Companies should look now to partner with cybersecurity companies that will help them achieve NIS2 compliancy. Here at Cato, we have seen a continuous increase in requests related to InfoSec guidelines and disciplines from our customers and partners in EMEA, a clear (and good) sign that organisations of all sizes are looking into this matter with more focus than ever before.”
Jamie Akhtar, CEO and co-founder of CyberSmart:
“While conclusive evidence for this kind of attack is often hard to come by, given Norway’s geopolitical position, this bears all the hallmarks of a state-sponsored attack. Over the past 18 months, we’ve seen an increasing number of attacks directly targeting state infrastructure within countries broadly supportive of Ukraine.
“Alongside this, the nature of the incident points to a supply chain attack, whereby cybercriminals attack a supplier or partner of the real target and gain access to its systems through the back door. These attacks are becoming extremely common, so we urge all organisations, be they state bodies or businesses to pay close attention to the security levels across their supply chains. Likewise, the many thousands of small businesses that provide services to large organisations need to ensure they have robust security controls in place.”
Nadir Izrael, CTO and co-founder of Armis:
“Attacks on government agencies worldwide are becoming more common and persistent. This is due to the widespread disruption and trickling impacts potentially caused by these attacks on critical infrastructure and society overall, if successful. Geopolitical tensions are only exacerbating these threats to agencies, as cyberwarfare has proven to be a cost-effective method of attack for disrupting the everyday lives of civilians.
“Armis continues to warn that these attacks should be seen as a wake-up call. It’s critical that government agencies globally prioritise putting technology and procedures in place to proactively address this risk and reduce vulnerabilities to the ever-expanding attack surface. This starts with visibility into the entire attack surface itself, along with real-time and contextual insights for keeping a constant pulse on what’s connected to the business network at any given time. If you cannot see and do not know that a vulnerability exists within your environment, then you cannot proactively mitigate this risk before a malicious actor exploits it.”
Brad Freeman, Director of Technology at SenseOn:
“Norway is a strategic supplier of Oil & Gas to Europe and disrupting this aligns to the interest of the Russian state, as seen with the latest attacks earlier this year affecting the US Department of Energy, where the MOVEit vulnerability was identified as the source of the attack. The latest attack has the potential to be related to the recent MOVEit vulnerability, especially when taking into consideration the weaknesses found in the platform of one of their suppliers’ and detection of unusual traffic patterns. However, it’s too early to formally attribute the attack against the Norwegian government ministries to a specific source, and the technical detail is unlikely to ever be released so attribution is speculation.”