The country’s National Security Authority confirmed that the attack involved the exploitation of CVE-2023-35078, a zero-day vulnerability impacting Ivanti’s Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core.
EPMM is a widely used mobile management software engine that enables IT teams to set policies for mobile devices, applications, and content.
Although the vulnerability has since been addressed, the identity of the attackers and the scope of the breach remain uncertain at this stage.
According to an advisory published on Monday by Ivanti for CVE-2023-35078, the flaw is an unauthenticated API access issue that can be exploited by remote threat actors “to potentially access users’ personally identifiable information and make limited changes to the server”.
The Minister of Local Government and Rural Affairs, Sigbjørn Gjelsvik, stated,
"We take this incident very seriously. DSS cooperates closely with the National Security Authority and the police. They have implemented a number of measures to deal with the attack, and we are following the situation closely."
DSS, in coordination with the National Security Authority (NSM) and other security environments, has launched a crisis team to manage the incident.
"We have uncovered an unprecedented vulnerability in the software of one of our suppliers. This vulnerability has been exploited by an unknown actor. We have now closed this vulnerability. It is too early to say anything about who is behind the attack and the extent of the attack. Our investigations and police investigations will provide more answers," said Erik Hope, director of the Ministries Security and Service Organization (DSS).
While the investigation is ongoing, Erik Hope, Director General of the DSS, assured that they have undertaken numerous security measures to protect the data contained on the ICT platform.
One result of these measures is that employees of the affected ministries currently lack access to DSS's shared services on mobile devices, including e-mail. Nevertheless, regular work continues on computers in the office or at home.
The incident has also been reported to the Norwegian Data Protection Authority. It is crucial to note that the DSS ICT platform services all ministries, with the exception of the Office of the Prime Minister, the Ministry of Defence, the Ministry of Justice and Public Security, and the Ministry of Foreign Affairs.
This incident brings to light the growing importance of cybersecurity measures within government structures and the potential risks associated with digital data management. The outcome of the ongoing investigation will hopefully shed more light on the nature of the attack and the measures necessary to prevent such incidents in the future.