Storting (Norwegian Parliament) email breach

In August 2020, the Storting — Norway's national parliament — suffered an intrusion into its email system that Norwegian authorities would later attribute to APT28 (Fancy Bear), a unit of Russia's military intelligence service, the GRU. The breach became one of the most consequential state-attributed cyber operations against a Western legislature, prompting a rare public naming of Russia by the Norwegian government.

What happened

On 24 August 2020, attackers brute-forced their way into a limited number of email accounts belonging to elected representatives and Storting employees. Brute-forcing — systematically guessing passwords against accounts that lacked sufficient protection — gave the intruders direct access to the contents of those mailboxes. Investigators later confirmed that data was stolen from each of the compromised accounts, though the parliament did not publish a precise count of affected individuals or volume of exfiltrated material.

The Storting disclosed the incident on 1 September 2020, describing it as a "significant" attack. Director Marianne Andreassen said the full scope was still being assessed.

Attribution

Norway moved unusually quickly to attribution. On 13 October 2020, Foreign Minister Ine Eriksen Søreide stated that the attack was the work of Russia, calling it "a very serious incident affecting our most important democratic institution." Russia's Foreign Ministry dismissed the accusation as a "planned provocation."

In December 2020, the Norwegian Police Security Service (PST) concluded its investigation, assessing that the operation was likely conducted by APT28 / Fancy Bear, linked to the GRU's 85th Main Special Service Centre (GTsSS) — the same unit indicted by the U.S. for operations against the 2016 election and the World Anti-Doping Agency. PST noted the Storting intrusion was part of a larger campaign running nationally and internationally since at least 2019.

Impact

Email accounts of an undisclosed number of MPs and staff were accessed, with data exfiltrated from each.
The breach forced a parliament-wide credential reset and a hardening of authentication, including accelerated multi-factor adoption.
It became a defining test case for Norway's policy of public political attribution of state-sponsored cyber operations.

Why it matters

The Storting breach showed that even small, well-resourced democracies are persistent targets for foreign intelligence services seeking insight into political deliberations. Norway's decision to name Russia publicly — and to back it with a formal PST attribution — marked a shift toward deterrence-by-disclosure among Nordic states. The incident also exposed how weak password policies and missing multi-factor authentication on a legislative email system can hand a hostile intelligence service the keys to a nation's political correspondence.

Timeline

August 24, 2020

Attackers brute-force and gain access to a limited number of email accounts belonging to Storting representatives and employees.

September 1, 2020

The Storting publicly discloses that its email system was breached and that data was extracted from affected accounts.

October 13, 2020

Norway's Minister of Foreign Affairs Ine Eriksen Søreide publicly attributes the attack to Russia.

December 8, 2020

The Norwegian Police Security Service (PST) concludes the operation was likely carried out by APT28 (Fancy Bear), linked to the GRU.

March 1, 2021

The Storting is hit by a separate intrusion exploiting Microsoft Exchange ProxyLogon flaws, which it states is unrelated to the 2020 APT28 breach.

Sources

regjeringen.nohttps://www.regjeringen.no/en/aktuelt/datainnbruddet-i-stortinget/id2770135

securityweek.comhttps://www.securityweek.com/norway-accuses-russian-hackers-parliament-attack/

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/norway-russian-apt28-state-hackers-likely-behind-parliament-attack/

infosecurity-magazine.comhttps://www.infosecurity-magazine.com/news/norwegian-parliament-attack-fancy/

bankinfosecurity.comhttps://www.bankinfosecurity.com/norway-says-russia-linked-apt28-hacked-parliament-a-15561

Related incidents

Vulnerability exploitResolvedJuly 24, 2023

Norwegian government Ivanti zero-day breach

Attackers exploited an Ivanti Endpoint Manager Mobile zero-day (CVE-2023-35078, CVSS 10.0) to breach a shared ICT platform used by 12 Norwegian government ministries, with exploitation traced back to at least April 2023.

Victim: Norwegian government (12 ministries)

EspionageResolvedDecember 28, 2020

Finnish Parliament espionage hack

A state-sponsored cyber-espionage operation attributed to China's APT31 breached the internal IT systems of the Finnish Parliament in 2020, compromising email accounts belonging to members of parliament.

Victim: Eduskunta (Parliament of Finland)

Vulnerability exploitResolvedDecember 25, 2020

Reserve Bank of New Zealand Accellion FTA breach

Attackers exploited a zero-day in the legacy Accellion File Transfer Appliance to breach New Zealand's central bank, accessing commercially and personally sensitive files; the cleanup cost the Reserve Bank around NZ$3.5 million.

Victim: Reserve Bank of New Zealand (Te Pūtea Matua)
Loss: $2.4M

Supply chainContainedDecember 13, 2020

SolarWinds SUNBURST supply-chain compromise (Cozy Bear)

Russian SVR operators trojanized SolarWinds Orion build infrastructure, distributing a backdoored update to 18,000 customers including the U.S. Treasury, Commerce, DHS, State, and Energy departments. The defining state cyberespionage operation of the decade.

Victim: SolarWinds (Orion customers — ~18,000 organisations including 9 U.S. federal agencies and Microsoft, FireEye, Mimecast)
Loss: $100.00B