Russian-backed hacking group APT28 has likely brute-forced multiple Norwegian Parliament (Stortinget) email accounts on August 24, 2020, according to the Norwegian Police Security Service (PST, short for Politiets Sikkerhetstjeneste).
Attackers gained access to a limited number of Stortinget email accounts of representatives and employees as disclosed by Stortinget director Marianne Andreassen.
A statement published on the parliament’s site on September 1 said that they were able to steal data from each of the hacked email accounts however investigators didn’t disclose what data was exfiltrated from the compromised parliamentary email inboxes.
One month later, Norway’s Minister of Foreign Affairs Ine Eriksen Søreide shared additional info on the August Parliament attack saying that Russian hackers were responsible for the breach.
Russia officially denied Norway’s accusations saying that they aren’t based on evidence according to news agency TASS.
“As usual, accusations are posed with no effort made to present any proof or to propose to discuss the incident at an expert level,” Konstantin Kosachev, the head of the Russian Federation Council Committee on Foreign Affairs, said in a statement.
APT28 likely behind Parliament attack
However, the Norwegian Police Security Service now says that it discovered after a coordinated investigation with the Joint Cyber Coordination Center that the Russian state-sponsored APT28 hacking group was likely behind the August 2020 Stortinget attack.
“The analysis shows that it is likely that the operation was carried out by the cyber actor referred to in open sources as APT28 and Fancy Bear,” Norwegian Police Attorney Anne Karoline Bakken Staff said.
“This actor is linked to Russia’s military intelligence service GRU, more specifically their 85th Special Services Center (GTsSS).
“The investigation shows that the operation that the Storting was affected by is part of a larger campaign nationally and internationally, which has been going on at least since 2019.”
APT28 operators hacked a large number of Stortinget email accounts using brute-forcing to obtain valid credentials and used those to log into a limited number of accounts.
The hackers also tried to further infiltrate the Stortinget computer systems but, based on all evidence, they failed in their attempts.
They were able to gain access to the Stortinget and personal accounts by taking advantage of insecure passwords and the fact that the users did not enable two-factor authentication (2FA).
Sanctioned for a similar attack on the German Federal Parliament
APT 28 (also tracked as Sofacy, Fancy Bear, Sednit, STRONTIUM) is a group of Russian nation-state hackers, members of Unit 26165 and Unit 74455 of the Russian Main Intelligence Directorate (GRU), the country’s military intelligence service.
They are known for coordinating multiple cyber-espionage campaigns targeting governments around the world and their involvement in a 2015 hack of the German federal parliament and attacks on the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC) in 2016.
Members of this elite Russian military hacking unit were charged by the US for hacking the DNC and the DCCC, as well as for targeting and hacking individual members part of the Clinton Campaign.
The Council of the European Union also announced sanctions in October against multiple APT28 members for their involvement in the 2015 hack of the German Federal Parliament (Deutscher Bundestag).
Just as in the attack against the Stortinget, the Deutscher Bundestag attack affected the parliament’s operation for several days in April and May, and to the compromise of several parliament members’ email accounts.