The Norwegian Investment Fund, the sovereign wealth fund of Norway, has lost over $10 million after falling victim to a sophisticated Business Email Compromise, or BEC scam, the group has admitted.
“Norfund has been exposed to a serious case of fraud through an advanced data breach,” the group acknowledged in a statement on May 13. “There are still many details that require further investigation, but as of today we can say that a series of events have enabled this fraud.”
The series of events that enabled the fraud allegedly saw scammers spending months inside the networks of the sovereign wealth fund, successfully bagging around £8.2 million ($10 million) by spoofing email addresses and then fabricating payment information and then directing the stolen cash into their own account.
“We are now working to get a full overview of the sequence of events and take appropriate measures to strengthen our routines and systems in order to prevent this from happening again.” Norfund wrote. “The fact that this has happened shows that our existing systems and routines were not secure enough.”
Norfund, a private equity company established by the Norwegian Storting in 1997, is the largest sovereign wealth fund in the world and is owned by the Norwegian Ministry of Foreign Affairs.
Norfund’s data breach as it happened
By both manipulating data and falsifying information, the cybercriminals behind the BEC scam managed to impersonate a credible borrowing institution, and thus divert funds into their own pockets. Using this tactic, the hackers left the rightful recipients and the sovereign wealth fund high and dry.
Reports allege that the diverted funds were channeled into a bank account in Mexico under the same name as a microfinance institution organized in Cambodia. The delay was falsely attributed to the COVID-19 lockdown in Norway.
The BEC scam unfolded on March 16, but went undetected until April 30, when the criminals allegedly attempted to use the same method to try to extract more cash from the sovereign wealth fund.
“Through an advance data breach, the defrauders were able to access information concerning a loan of USD 10 million (approx. 100 million NOK) from Norfund to a microfinance institution in Cambodia,” the company’s statement explained.
“The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified,” the statement added.
In order to get to the bottom of the breach and better protect the sovereign wealth fund against future BEC scams, Norfund hired PwC to review its security systems. It is also jointly working along with the Norwegian Ministry of Foreign Affairs in order to investigate the matter.
BEC scam questions
BEC scams, which the attack on Norfund resembles, are a cunning form of cybercrime which make use of email fraud to attack organizations of all kinds.
While Norfund did not explicitly refer to the attack they suffered as having been a BEC scam, the incident nevertheless bears all of the major hallmarks of this type of cybercrime. These include the hijacking email credentials belonging to top brass in a given organization, typically using phishing methods, and the subsequent tricking of lower-level employees into transferring cash for a false cause.
Given that it was this precise template the attackers used on Norway’s sovereign wealth fund followed, it is likely then that Norfund fell victim to a BEC scam.
Even a sovereign wealth fund isn’t safe
The sophisticated BEC scam that impacted Norfund clearly illustrates the fact that even the institutions typically regarded as ‘safe’, such as a sovereign wealth fund in a developed nation, nonetheless remain vulnerable to the exploits of hackers.
“This is a grave incident. The fraud clearly shows that we, as an international investor and development organisation through active use of digital channels are vulnerable,” Norfund’s CEO Tellef Thorleifsson affirmed to this end.
“The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this,” he added.
According to Chris Hazelton, Director of Security Solutions at mobile security firm Lookout, while the details of how the attack was carried out remains unclear, the incident nevertheless illustrates how threat actors “were able to ‘manipulate the communication between Norfund and the intended recipient’ points to either BEC or phishing as a likely entry point for attackers.”
“This speaks to the risks of digital communications and transactions, particularly where there is an immediate monetary gain for attackers,” explained Hazelton. “As more organizations move to digitization of banking and all other processes, there is a need to have multiple layers of security.”
This is largely supported by Javvad Malik, a security awareness advocate at cybersecurity solutions firm KnowBe4, who points out further that the incident serves to underscore the fact that, as organizations become ever increasingly digitalized, so too does the risk of hackers gaining access to internal systems and emails.
Malik believes, therefore, that only layered defense systems can rise to meet the challenge posed by the increasing complexity of cyberattacks.
“The human element forms a critical layer in this approach. It’s important to provide security awareness and training to all employees so that they can identify any suspicious phishing emails, in particular BEC or CEO fraud emails. Having well-trained employees can be the difference between remaining secure, or suffering a great loss.”