The Norway state investment fund recently disclosed a loss of $10 million to a professional BEC operation that impersonated an individual authorized to wire large sums of money. This attack was highly sophisticated and did almost everything right, according to Norfund CEO Tellef Thorleifsson.
Norfund is the Norwegian investment fund for developing countries. Using money from the Norwegian state budget, it finances economic growth projects in areas that struggle with poverty. The attackers spent a great deal of time studying Norfund operations prior to launching the attack.
There were several elements to this crime, and many of the details are still under investigation. Here are the basics:
Network infection: The initial entry into the network occurred several months prior to the theft. Norfund has referred to this as “an advanced data breach” but has not disclosed how the attackers entered the network. One of the most common ways to infiltrate a network is through a phishing attack that captures the credentials of an authorized user or installs malware on the network.
Reconnaissance: Thieves spent several months exploring Norfund, gathering information about employees, customers, procedures, security, and anything else they found to be of interest. It was during this step that the attackers learned details of Norfund loans and loan recipients, and this is what made the wire-transfer fraud so successful. The criminals had detailed knowledge of Norfund financial operations and loan recipients, which allowed them to fabricate realistic documents and authentic-sounding messages between multiple parties.
Domain Impersonation and conversation hijacking: The attackers created a Norfund email address to impersonate an individual authorized to wire money through the bank that Norfund uses to disperse funds. It’s unclear or undisclosed when this email was created, or if this was the only Norfund employee that the criminals impersonated by email. This step seems to be a classic employee impersonation attack rather than an account takeover.
While some details remain unclear, we know that email was used for two crucial steps:
Transfer of funds: The attackers used the email to initiate a $10 million transfer that had been legitimately authorized by Norfund to be sent to a microfinance institution in Cambodia. Once the transfer was underway, the deposit was sent to an account controlled by the criminals.
Delay of discovery: The attacker sent an email to the Cambodian company advising them that the funds would be delayed due to circumstances surrounding the pandemic. This changed expectations of when the money would arrive.
According to CEO Tellef Thorleifsson, the attack was “wonderfully done.”
“The fact that the defrauders were able to manipulate the communication between Norfund and the intended recipient was a major contributing factor in delaying detection.” Norfund statement
What happened to the $10 million?
On March 16 the wire transfer was initiated, and the funds were diverted to a bank in Mexico. Bank accounts that are used in these types of schemes may belong to the criminal or may be rented from other criminals who are unrelated to the attack. These criminals have accounts all over the world, and they allow other criminals to use their accounts in exchange for a percentage of the stolen money. The fraud went undetected until April 30 when the attackers attempted a second attack that was caught and prevented by internal security.
Norfund's internal security team is working with local police and the Norway Ministry of Foreign Affairs to identify the criminals and find the money. They have also hired a consulting firm to review internal security and processes. There does not appear to be any updates on the investigation at this time.
While we don’t have all of the details of the Norfund attack, we know that data breaches are often the result of a successful spear-phishing or malware attack. Norfund refers to manipulated communications as a ‘major contributing factor’ in the success of the scam.
Barracuda Total Email Protection Bundle provides multiple layers of protection to protect companies from spam, malware, and spear phishing. The bundle also includes user awareness training and Barracuda Forensics and Incident Response (FIR). Get an entire suite of protection that can stop network intrusion, identify communication abnormalities, and help you track down infections and quickly clean your network. Learn more at our website and try it free for 30 days.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn here.