Norway’s state-owned investment fund Norfund has halted all payments after losing $10m in an “advanced data breach.”
Norfund is a private equity company established by the Norwegian Storting in 1997 and owned by the Norwegian Ministry of Foreign Affairs. The fund receives its investment capital from the state budget and is the largest sovereign wealth fund in the world.
On May 13, Norfund announced that it was “cooperating closely with the police and other relevant authorities” after “a series of events” allowed fraudsters to make off with $10m.
The fund said that a data breach allowed defrauders to access information concerning a loan of US$10m from Norfund to a microfinance institution in Cambodia.
Using a mixture of manipulated data and falsified information, the fraudsters managed to impersonate the borrowing institution and divert funds away from the genuine recipient and into their own pockets.
“The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content, and use of language. Documents and payment details were falsified,” said a Norfund spokesperson.
Funds were diverted to an account in Mexico under the same name as the Cambodian microfinance institution. The theft took place on March 16 but went undetected until April 30, when the scammers attempted to fraudulently obtain more money.
“This is a very unfortunate situation,” said Olaug Svara, chair of the board of directors. “We now have to get a full overview of the chain of events in order to get to the bottom of this.”
Norfund’s board has engaged PwC to undertake a full review of the company’s security systems and routines.
Norfund CEO Tellef Thorleifsson said: “The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this.”
Commenting on how the fraud might have been committed, Chris Hazelton, director of security solutions at Lookout, said: “There is no specific information on how this attack took place, nevertheless, how the threat actors were able to ‘manipulate the communication between Norfund and the intended recipient’ points to either BEC or phishing as a likely entry point for attackers.”