Norwegian police implicate Fancy Bear in parliament hack, describe ‘brute forcing’ of email accounts
Norwegian authorities on Tuesday got more specific in their accusation of Russian involvement in an August cyberattack on Norwegian parliament, implicating the same notorious group of suspected Russian military intelligence hackers accused of interfering in the 2016 U.S. election.
Fancy Bear or APT28 — a group of hackers linked with Russia’s GRU military agency — was likely behind the breach, which resulted in the theft of “sensitive content” from some Norwegian lawmakers’ email accounts, Norway’s national police agency said in a statement.
The attackers used a common technique called “brute forcing,” which bombards accounts with passwords until one works, to access the Norwegian parliament’s email system, according to the statement signed by Norwegian police attorney Anne Karoline Bakken Staff. The Fancy Bear operatives then tried to move further into parliament’s IT systems, according to the statement, but were unsuccessful.
The intrusions were part of a broader suspected Fancy Bear campaign within and without Norway since at least 2019, Norwegian officials concluded. Norwegian public broadcaster NRK reported that more than 10 organizations in Norway were targeted in the campaign, but did not name them.
Relations between Russia and Norway have grown more tense in recent months after Norwegian authorities expelled a Russian diplomat because of his alleged connection to an espionage case, and Russia retaliated by expelling a Norwegian diplomat.
The parliament breach, whose targets reportedly included members of the opposition Labour Party and a lawmaker who sits on foreign affairs and defense committees, has been a national story in Norway for months. After the Norwegian foreign affairs minister blamed Russia for the cyberattack in October, the Russian government rejected the allegation as “unacceptable.” A spokesperson for the Russian Embassy in Washington, D.C. did not respond to a request for comment on the Norwegian police statement.
European countries have in recent months grown more willing to publicly blame Russia, and the GRU, for cyberattacks, to Washington’s delight. The European Union in October sanctioned Igor Kostyukov, head of the GRU, and Fancy Bear itself for a 2015 cyberattack against Germany’s parliament.
Fancy Bear’s use of “brute-forcing,” a blunt and unsophisticated technique, is the latest example of how so-called advanced persistent threat groups “don’t necessarily use advanced techniques,” said Katie Nickels, director of intelligence at cybersecurity company Red Canary. “Basic security measures like implementing multi-factor authentication can help protect against a range of adversaries, regardless of their motivation.”
“As a community, we need to get rid of this idea that APTs always use advanced techniques,” Nickels said. “Sometimes they do, and those techniques can be tough to prevent and detect, but we’re doing ourselves a disservice by focusing too much on ‘advanced’ techniques to the detriment of basic cyber hygiene.”
Fancy Bear gained notoriety as one of two suspected Russian groups to break into the Democratic National Committee ahead of the 2016 U.S. election as part of an effort to upend Hillary Clinton’s campaign. But the hacking group has for years carried out operations against Russian adversaries. Ahead of the Tokyo Olympics, Fancy Bear has tried to break into the networks of anti-doping agencies, according to Microsoft. The hackers also targeted Republican and Democratic consultants before the 2020 U.S. election, Microsoft said.
The Norwegian investigation, which was assisted by national security and intelligence agencies in that country, faulted Norway’s parliament for having insecure passwords. The Storting, as Norway’s parliament is known, manages sensitive information that is “of great interest to several foreign states’ intelligence service,” the police statement said.
Norwegian police said the hack could be a violation of the Norwegian penal code, but added that they did not have enough evidence to indict the perpetrators.
“PST [the Norwegian national police agency] see no purpose in investigating further, because we will never reach the goal of bringing someone to court in Norway,” PST spokesman Martin Bernsen said in an email. “It would also have been enormously resource-intensive.”