(TLP:CLEAR) Threat Actors’ Breach of Norwegian Dam Cause Valve to Open at Full Capacity

Author: Chase Snow

Created: Thursday, June 26, 2025 - 15:38

Categories: Cybersecurity, OT-ICS Security, Security Preparedness

Summary: Open-source reporting has revealed that in April, unidentified threat actors compromised the systems of a Norwegian dam and opened its water valve to full capacity. The valve ran at full capacity for four hours before being detected. Energiteknik, a Norwegian news outlet, has mentioned that the attack didn’t put anyone in danger as it barely moved water output over the dam’s minimum water flow requirement. The water poured 497 liters per second over the minimum, though officials have said the riverbed could have handled up to 20,000 liters per second.

Analyst Note: While it’s unclear who the attackers are behind this incident, in recent years it has not been uncommon for threat actors to breach industrial systems and manipulate water levels or modify values at random. Especially during the current geopolitical climate, incidents such as these appear connected to larger international conflicts. As Risky Business News indicates “Pro-Palestinian hacktivists have repeatedly hacked Israeli water treatment facilities since 2020 and attempted to modify water chlorine levels unsuccessfully.”

Industrial systems connected to the internet are highly targeted during times of intense geopolitical tensions. Members are encouraged to ensure sensitive systems have minimal connection to the public internet as much as possible, especially as we continue to watch the conflict with Iran unfold.

WaterISAC is unaware of any additional information regarding this incident at this time.

Original Source: https://news.risky.biz/risky-bulletin-hackers-breach-norwegian-dam-open-valve-at-full-capacity/

Additional Reading:

Mitigation Recommendations:

Fundamental 2 | Minimize Control System Exposure | WaterISAC’s 12 Cybersecurity Fundamentals for Water and Wastewater Utilities

Related WaterISAC PIRs: 6, 7, 9, 12