Hackers stole $10 million from Norway’s state investment fund, Norfund, in a business email compromise (BEC) attack.
Norfund is a private equity company established by the Norwegian Storting (parliament) in 1997 and owned by the Norwegian Ministry of Foreign Affairs. The fund receives its investment capital from the state budget.
The fraudsters compromised the Norfund email system and monitored communications between the employees of the fund and their partners for months.
Once identified the employee that responsible for money transfers. the attackers created a Norfund email address to impersonate an individual authorized to transfer large sums of money through the bank Norfund.
In a classic BEC scheme, hackers replaced the payment information provided to the partners to hijack the transfer to an account under their control in a bank in Mexico.
“Through an advance data breach, the defrauders were able to access information concerning a loan of USD 10 million (approx. 100 million NOK) from Norfund to a microfinance institution in Cambodia.” reads a notice published by Norfund.
“The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified”
Norfund was not able to block the fraudulent wire transfer because the attackers managed to delay of its discovery.
The BEC attack took place on March 16, but it was discovered more than a month later, on April 30 when the fraudsters attempted to carry out a new fraud, that was detected and blocked.
To delay the discovery of the scam, the attacker sent an email to the Cambodian beneficiary informing it of a delay due to the current Coronavirus lockdown in Norway.
“This is a grave incident. The fraud clearly shows that we, as an international investor and development organisation, through active use of digital channels are vulnerable. The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this” said company CEO, Tellef Thorleifsson.
(SecurityAffairs – BEC, hacking)