Attacks in Norway

Lørenskog municipality hit by serious cyberattack on Saturday 9 May. Schools, NAV and nursing homes lost access to core IT systems. Attacker left a ransom note. Kripos investigating.

Fredrikstad and Hvaler municipalities had directory data on ~7,000 employees posted on a criminal forum 2 May. Employee search function abused to expose names, emails, phone numbers.

Canvas vendor Instructure leaked 3.65 TB. 37 Norwegian institutions affected including UiO, NTNU, OsloMet, NMBU, Innlandet, USN. ShinyHunters behind it. Ransom paid 11 May.

Sats Norway hit by data breach 14 March. 3,750 current and former employees affected via file server with HR and accounting data. Membership system not affected. Criminal group threatened to leak.

Crypto virus on selected onboard PCs of a vessel operated by Wilhelmsen Ship Management on 18 February. No land based systems affected. Lockbit 5.0 claimed responsibility via leak site.

AdvokatWatch reported that 31 Norwegian law firms were affected by digital security breaches in 2025, tied to NSR warnings about Microsoft 365 account compromises.

Lyd & Bilde's websites compromised with a fake reCAPTCHA/ClickFix popup trying to trick visitors into running malicious PowerShell scripts. Both Norwegian and Swedish editions hit.

Six county governor offices issued FOIA PDFs with unredacted national ID numbers and names in metadata. At least 150 people affected in Innlandet. Datatilsynet notified.

Kripos warned in Jan 2026 that several Norwegian SMBs were hit by ransomware via old SonicOS SSL VPN bug. First known incident in Nov 2025. Akira suspected. Victims unnamed.

Unknown intruders accessed the Norwegian Veterinary Institute's computer systems. The case was reported to police. Security chief could not determine the cause.

Technical fault on Helsenorge briefly exposed other patients' national ID numbers and names for about 50 minutes. Not external hacking. Norsk helsenett notified Datatilsynet.

Dynamic Precision in Kjeller, a Norwegian PCB manufacturer supplying defense and aerospace, hit by a data breach involving server encryption (ransomware).

Lovdata's websites suffered DDoS over several days in September. Attackers attempted to overload the systems to make the site unavailable. User data not targeted.

The Conservative Party's websites hit by DDoS in final week of the parliamentary election campaign. NSM and the party attributed it to pro-Russian NoName057(16).

Ringerike and several Norwegian municipalities plus Østfold county council had websites hit by DDoS. Pro-Russian NoName057(16) claimed responsibility, motivated by the election.

PST confirmed a new data breach in Eastern Norway by the same pro-Russian group as the Bremanger dam. Physical processes affected without danger. Victim not publicly named.

Trondheim software vendor Extend AS hit by ransomware. Four municipalities (Bergen, Drammen, Kristiansand, Ringsaker) and NTNU (~77,500 emails in test env) had data compromised via EQS.

Hackers encrypted two servers and exfiltrated ~10 GB from Narvik port, a NATO-strategic logistics hub. A previously unknown group published the data. Kripos and NSM notified.

Pro-Russian hackers opened a valve at the Risevatnet dam in Bremanger, releasing 500 L/s for nearly 4 hours. PST attributed in August to a pro-Russian group via weak password.

Freight and logistics firm in Skjetten near Lillestrøm hit by ransomware. Company (~30 employees, ~NOK 100M revenue) had to wipe its own servers to recover. Identity withheld.

Genus, no-code platform vendor to the Norwegian police, hit by ransomware in January. Several GB of sensitive data incl. customer contracts with national ID numbers leaked on the dark web.

Location data broker Unacast/Gravy Analytics hacked. About 146,000 Norwegian mobile devices likely affected; movement data leaked on a Russian hacker forum. Datatilsynet notified.

Gran municipality detected an intrusion on 17 December. Attackers had a foothold on an unpatched server and installed VNC, stopped before ransomware deployment. No known exfiltration.

Personal data on Tensio employees (incl. national ID numbers and salaries) was inadvertently made public on an external site by a partner during a pension tender. Datatilsynet notified.

Attackers took over the CEO's email at Hå Rugeri and sent a fake invoice to a supplier who paid EUR 73,686 (~NOK 868,000) to the wrong account. Reported to Datatilsynet and police.

Norwegian police investigated a suspected data breach at ISAR Aerospace Norge on Andøya. A Hungarian former employee was arrested for downloading company data to an external drive.

Logistics firm Skanlog hit by LockBit 3.0 ransomware on 21 April. Deliveries to Vinmonopolet halted. Skanlog represented ~20% of Vinmonopolet's volume.

Avarn Security AS confirmed it was hit by ransomware on 22 February 2024. IT teams worked to contain damage and restore operations; customers were notified.

PST, FBI and partners disrupted a Russian APT28 router botnet using vulnerable TP-Link devices as relays. About ten compromised routers in Norway were identified and patched.

Police notified Sør-Varanger that login credentials had been resold on the dark web for $10. The attack was stopped in early reconnaissance with help from Atea.

NBBL trade body and subsidiaries (incl. insurance arms) hit by ransomware. NBBL refused to pay ransom. Reported to Datatilsynet and police.

Akira ransomware hit a Tietoevry data center in Sweden on the night of 20 January. Norwegian customers including Moelven Industrier were indirectly impacted via shared services.