Norwegian officials are accusing pro-Russia hackers of being behind a cyberattack in April, briefly taking control of a dam in early April and releasing millions of gallons of water.
It was the first time Norway had linked the attack on the dam to Russia, but in a national threat assessment report released earlier this year, the country’s security police service (PST), intelligence agency, and national security authority wrote that Russia continues to be the greatest threat to Europe, including Norway.
“Over the past year, Russia has demonstrated its resolve and ability to carry out sabotage operations on European soil,” Beate Gangås, head of the PST, wrote in the report, noting that countries like Russia and China will continue using proxies to carry out such actions in Norway. “We expect 2025 to be marked by hybrid threats. Such threats include sabotage, influence operations and illegal intelligence.”
At the Arendalsuka annual national forum in the city of Arendal this week, Gangås said Russia continues to run cyber operations at targets in the West, according to a report in the newspaper VG, and said the attack on the Bremanger dam at Lake Risevatnet was one of them.
“They don’t necessarily want to spread destruction, but to show what they are capable of,” she said, adding that the goal is to create fear among Norwegians and doubt about the country’s security and that the dam was targeted because of Norway’s wide use of hydropower.
“Over the past year, we have seen a change in activity from pro-Russian cyber actors,” she added. “The aim of this type of operation is to influence and to cause fear and chaos among the general population. Our Russian neighbor has become more dangerous.”
Russian officials have denied any responsibility.
Weak Security at the Dam
According to reports, during the hack, about 132 gallons of water per second were released before water officials detected and shut down the attack.
A report in July by operational technology (OT) security vendor Radiflow found the hackers took control of one of the dam’s water discharge vales and remotely opened one of them.
“The attackers set the valve to 100% capacity for approximately four hours, causing an increased outflow of 497 liters per second above normal,” the Radiflow researchers wrote. “Although this figure was well within the dam’s safe design – its riverbed can handle up to 20,000 liters per second – the event exposed a severe operational risk: attackers had real-time control of physical processes, and safety depended on sheer luck and detection.”
They wrote that the bad actors exploited a weak password used to protect a web-accessible human-machine interface (HMI).
“This credential weakness, combined with the HMI’s direct internet exposure, allowed remote attackers to command critical operations undetected for hours,” the researchers wrote. “Only after roughly four hours did operators spot the unauthorized change and restore the system. … No physical damage occurred, but only because the attackers did not push the process past safe boundaries.”
Pointing the Finger at Russia
They added that a forensic investigation pointed to Z-Pentest, a Russian hacktivist group noted for targeting OT controls in water and oil and gas systems. The group posted videos of the breach on Telegram.
Earlier this week, U.S. investigators said the country was behind a data breach of PACER, the electronic filing system of the U.S. federal court system. It’s used by judges, lawyers, and others to file case and investigation documents, including some of which like indictments, arrest warrants, and reports about ongoing criminal investigations, can hold personal and confidential information.
PACER has been a target of threat groups since at least 2020.
A Tense Geopolitical Moment
The accusations by Norway and the United States come just as President Trump was scheduled to meet with Russian President Vladimir Putin in Alaska today to discuss the war in Ukraine and other issues. Norway’s law enforcement and intelligence services said the country should expect to see more Russian operations.
“Russia’s full-scale invasion of Ukraine and the deteriorating relationship between Russia and the West continue to characterize the threat situation in Norway,” they wrote in the report earlier this year. “In addition to extensive, continuous intelligence and influence operations, there is an increased likelihood that Russian intelligence services will try to carry out sabotage operations in Norway.”
Mike Hamilton, field CISO for cybersecurity firm Lumifi Cyber, said attacks against the water sector are increasing and that it’s more of an issue of nation-states than cybercriminals.
“Iranian actors are known to specifically target the operational technologies like programmable logic controllers that are used to open and close valves, monitor filtration and chemical injection, etc.,” Hamilton said. “Russians are reported to have recently targeted a dam operation in Norway and are equally capable. More broadly, all critical sectors are under increasing threats – the Chinese are reported to have a foothold in infrastructure and are prepared to pull that trigger at the time of their choosing.”
