UPDATED: The cyber attacks aimed at central bank Norges Bank and eight major banks, financial institutions and telecommunications companies on Tuesday were among the most serious ever to hit the country’s online networks. IT company Evry said it was the first time an attack had targeted so many key players in the Norwegian financial industry. Several airlines suspected they too had been hit.
On Tuesday morning, the news broke that bank DNB had been hit by a DDoS (Distributed Denial of Service) attack, where a server is deliberately overloaded so it can no longer be accessed. Its website and internet banking were down for a little over an hour. There was confusion in the media at the time over exactly how many companies had been hit, but the extent of the attack became apparent throughout the day. Newspaper Dagens Næringsliv (DN) reported on Wednesday that along with Norges Bank and DNB, the attackers hit Sparebank 1, Storebrand, Gjensidige, Nordea and Danske Bank, as well as Norway’s biggest telecommunications company Telenor. Other businesses were also affected.
“The scale is not the largest we have seen, but it is the first time it has hit so many central players in the finance sector in Norway,” said the head of Evry’s security team, Sverre Olesen. It was the first time more than eight finance companies were targeted in a simultaneous attack. The company believed the attack was coming from overseas.
At Evry’s Fornebu headquarters, the technicians were in overdrive. “It has jumped from customer to customer throughout the whole day,” said security analyst Idar Lund. “I will probably be stuck with this through the night.” The company’s engineers explained that those behind the attack had exploited a weakness in the blogging site WordPress to direct traffic towards the computers at Evry and their customers. The cyber attackers used other methods too – Evry said while Danske Bank and Nordea were also attacked, it was not their Evry systems that were affected.
Anonymous claimed responsibility
DN reported it received an email from online activist group Anonymous Norway on Tuesday afternoon, claiming responsibility for the attacks on Norges Bank and others. The email came through before Norges Bank’s communications department was even aware its website was down. “Tango Down | Status OFFLINE,” the email read. “We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us. Sincerely, Anonymous Norway.”
“The motivation behind the current attacks and the next attacks in the future is to get the community to wake up,” the correspondent wrote. “The number of major IT security attacks is increasing and there is nothing being done to prevent such events.” DN said it could not confirm beyond doubt that the message was from Anonymous Norway.
The National Security Authority (Nasjonal sikkerhetsmyndighet, NSM) said it was investigating the attacks, but did not know who was responsible, or why they did it. “On a general basis I can say that the motivations behind such attacks can vary widely,” said technical director Roar Thon. “It can be to highlight yourself or draw attention to a political issue. It can be downright sabotage or vandalism for the sake of fun, or it can be financially motivated.”
“DDoS attacks can be used both for blackmail or as a smokescreen to cover up a real theft of asset or information,” Thon explained. He said the criminals would have used a large network of computers infected with a “botnet” robot network to carry out a set task, like sending spam email or running a DDoS attack.
Thon stressed it was different to a hacker attack: the server or site is overloaded, rather than someone actually hacking through security systems to retrieve information. “It requires neither computer skills nor hacking experience to carry out a DDoS attack. It is possible to carry out only with a credit card and the will to destroy.”
NSM communications advisor Fredrik Johnsen could not confirm Evry’s indications the attack came from abroad. “That is the internet’s problem,” he said. “There are many ways to mask where the attack is carried out from.”
Norges Bank confirmed on Tuesday night it had been attacked, and that its website was down for 15 minutes. DNB said it was incredibly expensive to have its netbank down, and it would pursue those responsible criminally and financially. “We must go through our registers and check the normal use, and then how much lost revenue is accounted for in the time the netbank was down,” said communications adviser Vidar Korsberg Dalsbø.
Meanwhile, Gjensidige still had problems into the evening. “It is Evry’s systems, which we are part of, which are under attack,” said information director Øystein Thoresen. “Internet systems are occasionally victim to all possible weird, small and large attacks. Now there is obviously something big happening, but we seldom know who is behind it. It looks like we’re managing to hold off the attack and keep the solutions up. We’re holding on.”
Telenor confirmed its critical infrastructure was also targeted, but it did not know why. “The motivation behind the attack may have been to find vulnerabilities in the company’s infrastructure, possibly to engage in sabotage or industrial espionage,” said information officer Kristine Meek. TV2 reported NetCom also had problems with its webpages from an unknown cause.
Airline sites down
Late on Tuesday night, Scandinavian Airlines (SAS), Norwegian Air and Widerøe reported their Norwegian and Swedish websites were also down. “The cause is most likely a DDoS attack,” Widerøe’s communications director Richard Kongsteien told DN via SMS. “Both our own technicians and our suppliers are working to get the website up again.” Public access was restored after about 20 minutes.
“We will keep on investigating what it is that has happened,” said Henrik Edstrøm from SAS, shortly after half past 10 on Tuesday night. “Currently I cannot answer on whether this has any connection to the attacks earlier today.”
NSM said it handled around 3,000 cyber crime cases last year, of which 50 were considered serious. “The scope of computer crime is at a consistently high level,” said Johnsen. “Several cases get cleared up, but it is a long way to court.”