{ "id": "7fd90d0d-f49f-4831-b80a-64448a1ada81", "created_at": "2026-04-06T00:22:22.679575Z", "updated_at": "2026-04-10T03:37:49.637466Z", "deleted_at": null, "sha1_hash": "804cf994a3dac7ee93bf9868bf72fc8c821a87b8", "title": "Norway says Russian hacking group APT28 is behind August 2020 Parliament hack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 611814, "plain_text": "Norway says Russian hacking group APT28 is behind August 2020\r\nParliament hack\r\nBy Written by Catalin Cimpanu, ContributorContributor Dec. 8, 2020 at 6:42 a.m. PT\r\nArchived: 2026-04-05 16:17:01 UTC\r\nAPT28, one of Russia's military hacking units, was most likely responsible for hacking the email accounts of the\r\nNorwegian Parliament, the Norwegian police secret service (PST) said today.\r\nSpecial feature\r\nThe Norwegian Parliament (Stortinget) hack was disclosed earlier this year on September 1. At the time,\r\nStortinget director Marianne said that hackers gained access to the Parliament's email system and accessed\r\ninboxes for Stortinget employees and government elected officials.\r\nSEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF)\r\n(TechRepublic)\r\nNo details about the hack were made public in September, but in a follow-up in October, Foreign Minister Ine\r\nEriksen Søreide said that initial clues suggested that the attack was most likely carried out by Russian hackers, an\r\naccusation that Moscow immediately denied.\r\nThe next day, Russian Foreign Ministry spokeswoman Maria Zakharova dismissed the allegations as \"a planned\r\nprovocation\" from Norwegian officials looking to \"destroy bilateral relations\" with \"no evidence.\"\r\nKonstantin Kosachev, Head of the Russian Federation Council's Committee on Foreign Affairs, also commented\r\non the matter, calling Oslo's accusations of Russian involvement in the Stortinget hack as \"groundless.\"\r\nhttps://www.zdnet.com/article/norway-says-russian-hacking-group-apt28-is-behind-august-2020-parliament-hack/\r\nPage 1 of 3\n\nNorwegian secret service publishes its findings\r\nBut in a PST press release today, Norway's cyber-security agency held the line with the government's initial\r\nOctober accusations.\r\n\"The analysis shows that it is likely that the operation was carried out by a cyber actor referred to in open sources\r\nas APT28 and Fancy Bear,\" PST officials said.\r\n\"This actor is linked to Russia's military intelligence service GRU, more specifically their 85th Special Services\r\nCenter (GTsSS),\" they added.\r\nPST officials said APT28 hackers breached Stortinget email accounts and tried to pivot to the Parliament's internal\r\nnetworks but failed.\r\nInvestigators said Stortinget was to blame for the intrusion as officials and employees used weak email passwords\r\nand failed to use two-factor authentication to protect accounts.\r\nOther details about the intrusions couldn't be revealed due to the sensitive nature of the hack.\r\nPST officials said the attack against its Parliament was part of a larger APT28 campaign that began in 2019 and\r\nwhich targeted multiple other targets, both inside Norway and abroad.\r\nWhile the PST press release doesn't mention it by name, the Norwegian cyber-security agency appears to be\r\nreferring to a recent Microsoft report detail a recent shift in APT28 tactics.\r\nAccording to this report, from September 2019, the APT28 group started using brute-force and credentials\r\nharvesting attacks on a larger scale and began targeting Office365 accounts in order to gain access to email\r\naccounts of more than 200 private and government organizations.\r\nPST officials said that despite linking the attacks to known APT28 tactics, they weren't able to gather enough\r\nevidence to file a formal indictment, as Germany did earlier this year against an APT28 member involved in the\r\nhack of its Parliament (the Bundestag) in 2015.\r\nThe APT28 group is also known in the cyber-security industry under other names, including Sofacy, Fancy Bear,\r\nSednit, Strontium, and more. It is one of the most active Russian state-sponsored hacking groups, believed to have\r\nbeen involved in hacks against the Pentagon, the German Parliament, NATO, the DNC in 2016, the World Anti-Doping Agency, and many more. The group's members are subject to many indictments and international\r\nsanctions.\r\n\"Although we have not seen the activity mentioned in [the PST] report, during the last years, we have researched\r\nseveral Sofacy operations targeting entities in Scandinavian countries,\" Costin Raiu, Director of the Kaspersky\r\nGlobal Research \u0026 Analysis Team (GReAT), told ZDNet.\r\n\"It is important to mention the activities we observed are not recent and date back to 2016-2018,\" Raiu added.\r\n\"Most recently, it would appear that Sofacy changed their TTPs, with a focus on credentials harvesting and then\r\nexpanding access through cloud services and various network equipment, as opposed to their traditional endpoint\r\nhttps://www.zdnet.com/article/norway-says-russian-hacking-group-apt28-is-behind-august-2020-parliament-hack/\r\nPage 2 of 3\n\ninfection ops. This makes them much harder to track and detect then before and especially way more difficult to\r\nattribute, due to lack of custom software artifacts,\" the Kaspersky security researcher said.\r\nArticle updated shortly after publication with comments from Kaspersky.\r\nThe world's most famous and dangerous APT (state-developed) malware\r\nSecurity\r\nSource: https://www.zdnet.com/article/norway-says-russian-hacking-group-apt28-is-behind-august-2020-parliament-hack/\r\nhttps://www.zdnet.com/article/norway-says-russian-hacking-group-apt28-is-behind-august-2020-parliament-hack/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.zdnet.com/article/norway-says-russian-hacking-group-apt28-is-behind-august-2020-parliament-hack/" ], "report_names": [ "norway-says-russian-hacking-group-apt28-is-behind-august-2020-parliament-hack" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434942, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/804cf994a3dac7ee93bf9868bf72fc8c821a87b8.pdf", "text": "https://archive.orkl.eu/804cf994a3dac7ee93bf9868bf72fc8c821a87b8.txt", "img": "https://archive.orkl.eu/804cf994a3dac7ee93bf9868bf72fc8c821a87b8.jpg" } }