A Norwegian municipal pension fund has revealed it was hacked last summer, in an incident when cyber criminals were apparently preparing to transfer large sums out the NOK3.5bn (€322m) fund.
However, ICT specialists at the local authority on Norway’s west coast spotted the attack and took action before perpetrators were able to steal any money, according to a news report in specialist publication Kommunal Rapport.
Heidi Sunde, chief executive officer of Haugesund Kommunale Pensjonskasse (HKP), told IPE: ”What it all boils down to is how important it is to have very good security routines and an ICT supplier that takes IT security seriously.”
At the end of August last year, the ICT department at the council discovered a suspicious login with Sunde’s details in the US – although the CEO was not in the US at the time.
“We manage NOK3.5bn, and it is very unpleasant that someone manages to hack in. It looks as if this was a preparation to be able to carry out large money transfers. It is simply terrifying,” the CEO said in today’s Kommunal Rapport.
Eirik Østensjø, ICT manager at Haugesund municipality, was reported as saying that following the login, the CEO’s password was changed and new attempts to connect from the US were then seen to fail.
But the following day, the CFO of HKP received an email seemingly from Sunde telling her to prepare an international money transfer.
“We saw this in connection with the login the day before, and then the alarm went off,” said Østensjø.
“We took in all the computer and telephone equipment the CEO had and contacted the incident management team at Atea,” he said, referring to the IT infrastructure provider for public-sector organisations in the Nordic and Baltic regions.
The cyber specialists concluded the CEO had been subjected to a phishing attack, but it was not clear whether this has taken place via email or whether Sunde had clicked on a website, according to the news report.
Even though HKP had two-factor verification, hackers had still gained access to the account, Kommunal Rapport wrote.
Østensjø said: “We knew that it was theoretically possible to hack past two-factor authentication, but I am not aware that this has happened in Norway before.”
Investigations showed the hackers had used the phishing tool EvilProxy to gain access to the session token, an encrypted unique session identifier which then enables hackers to bypass requirements for multi-authentication, according to the article.
But probes have not been able to reveal who or which hacker groups could have been behind the attack, with logins have come from the US, but been carried out during European office hours, the publication reported.
No comments yet