The Nordic threat picture
With threat levels on the rise due to geopolitical tensions and the increasing capabilities of threat actors, Telenor is in a constant state of readiness. For us this means maintaining a systematic approach to the threat landscape, while keeping a firm eye on all indicators of potential attack. Today’s threat landscape also requires us to have continuous focus on resilience building across all parts of the company and among our people. In this chapter, we examine the current Nordic threat picture as seen through the lens of Telenor’s security experts.
Staying on top of the rapidly evolving Nordic threat landscape
The telecommunications industry is considered an attractive target for threat actors, consistently ranked among the top three by intelligence agencies. This ranking underscores the industry’s strategic importance and the high stakes involved in safeguarding its networks. Companies in this domain have access to a substantial amount of sensitive data and can operate as digital gateways to other potential targets. On top of that, the industry’s attack surface is larger than in most other industries, and some telecommunications companies own,operate, and safeguard national critical infrastructure, which is essential for daily life.
Telenor is one of the largest Nordic providers of content, telecommunications, and data services. This makes Telenor an especially attractive target, both due to its symbolic value and broad customer base.
The threat landscape presented in this chapter takes a holistic view on Telenor’s security challenges. It considers the intentions of potential threat actors in relation to Telenor’s customers, including private customers, corporate customers, businesses,and national authorities. As such, this perspective recognises the importance of understanding the values of our customers,which Telenor takes part in protecting.
Staying on top of the rapidly evolving Nordic threat landscape
In Telenor, we systematically gather security information from a diverse range of sources and use itin our broad internal security network. This information includes assessments by national authorities in our operating regions,open-source reports from major security companies, and data from partners and commercial threat intelligence services. In addition, we leverage insights from our company-wide threat communities and their extensive networks. This comprehensive approach ensures we consistently build knowledge and awareness about current and emerging threats targeting both Telenor and the broader telecommunications industry.
The rapidly changing geopolitical landscape requires us to continually align our defences with the evolving threat landscape. This alignment enables us to implement the most effective security measures, ensuring the protection of both Telenor and society during uncertain times. Since Telenor owns and operates critical infrastructure across the Nordics, a serious security incident could have severe consequences for the entire region. Therefore, we place great emphasis on continuously assessing and updating our understanding of threats.
In Europe, the security situation is now more dangerous than it was a year ago.
A worsening threat picture
The threat situation in the Nordics has undergone significant change in recent years, with increasing geopolitical tensions that will continue to affect the region. Managing this requires robust preparedness, up-to-date understanding of the situation, and well-prepared solutions.
The year 2024 is marked by a continued escalation in global uncertainty in the digital domain, with states actively employing cyber operations to advance national interests. The growth in geopolitical tensions, especially between the major powers, creates a complex and dynamic threat landscape. Attacks by state-sponsored actors,which were previously directed at specific strategic targets, are becoming increasingly diversified and extensive. With technological development also comes new opportunities for threat actors,as well as more areas to protect. Both state and non-state threat actors are rapidly adopting advanced technology to use to their advantage and are more targeted in their attempts to achieve their goals. The ability to quickly adapt to changes in the threat landscape is more important than ever.
European security during wartime
In Europe, the security situation is now more dangerous than it was a year ago. This is primarily due to Russia. Factors including whether Russia will increase its military build-up in the coming years, and the outcome of the war in Ukraine, will influence the security situation in the Nordics. This directly affects how we work with security in Telenor Nordics. The security of Telenor Nordics not only applies to our company and our customers, but it is also critical for the region’s ability to communicate in any situation. In times on conflict, such as now, it is critical that this is prioritised.
Building greater resilience among Nordic critical infrastructure
Telenor Nordics continues to upgrade its national infrastructure to withstand increased digital threats. Our efforts to secure both the private and public sectors play a critical role in this context. In line with the evolving threat landscape, co-operation in the Nordic defence and security sector is being strengthened, as well as in the private sector. The intention is to ensure robust communication networks and critical infrastructure adapted to the current situation. The heightened threat to critical infrastructure can affect Telenor both directly and indirectly. The dependencies in critical infrastructure are significant. Outages in Telenor will directly impact many other parts of the Nordics – while outages in other parts of critical infrastructure could affect our operations, such as in power and utilities. As a result, our resilience is more important than ever before.
New opportunities stem from stronger Nordic presence in NATO
Recent initiatives to bolster security and defence co-operation in the Northern Nordic region highlight the importance of a coordinated response to emerging threats. For instance, the enhanced co-operation between Norway, Sweden, and Finland, particularly following the latter two countries’ NATO membership,underscores a historic shift in Nordic security policy. This collaboration is crucial for protecting our infrastructure and ensuring that we are prepared to face any challenges that may arise. As part of this effort, both public and private sectors are working together to strengthen the resilience of our critical systems,ensuring the stability and security of our region in these uncertain times.
Finland exemplifies close co-operation between the public and private sectors in continuity management, resilience, and crisis management, a practice honed over decades and further developed in response to recent geopolitical changes. The importance of critical infrastructure has always been integral to overall security and continues to be developed with national authorities and critical service providers, including telecom operators.
Finland’s strong defence capabilities and investments, alongside Sweden’s accession to NATO, significantly enhance the Nordic security landscape, boosting collective defence and interoperability.
Both countries possess high levels of technological and scientific expertise, making them prime targets for corporate espionage. The Finnish Intelligence Service has highlighted corporate and public sector espionage as a major concern. Consequently, it is crucial for entities such as Telenor’s operation in Finland (DNA), to ensure the safety of their customers and services, fulfilling their social responsibility by continuously developing operations and services to secure societal functions in a rapidly changing world.
Changing the rules of the game: Hybrid warfare
The changes we are now seeing in Europe affect the security and the priorities that we set. The situation is more unpredictable, unstable, and dangerous than before. What many previously perceived as theoretical concepts such as “hybrid warfare” or “grey zone tactics” are now incorporated into security assessments. The conflict in Ukraine has demonstrated that hybrid warfare is not a new phenomenon but rather a pressing reality that necessitates our immediate attention and response.
Hybrid warfare combines conventional military force with irregular tactics, cyber operations, and disinformation to destabilize a target. This strategy includes guerrilla tactics, cyber-attacks, and spreading false information to create confusion and weaken the target without triggering a full-scale military response. The aim is often to achieve strategic goals while maintaining plausible deniability.
Grey zone activities are actions that exist between war and peace, such as economic pressure, cyber-attacks, and political manipulation. These tactics are designed to undermine a target’s stability and sovereignty without crossing the threshold that would justify a direct military response, making them difficult to counter.
Threat actors target broader scope of sectors
For our customers, the need for secure and reliable methods of communication is increasingly vital. Telenor Nordics has many customers within areas such as specialised technology, engineering,and science sectors, all of which are attractive targets for industrial espionage. This requires increased security, which is cause for concern, as these sectors typically do not have the same security culture as, for example, the defence industry. Addressing this requires strengthened infrastructure from Telenor to meet the new requirements of these companies.
In recent years, we have also observed not only societal changes that affect the prerequisites for the threat landscape, but also that the threat actors’ room to manoeuvre, risk appetite and capabilities are changing. This impacts how increased digitalisation and technological development are utilised, potentially amplifying risks and complicating security efforts.
The rise of adaptive and opportunistic cybercriminals
In Telenor, we observe an increase in resourceful, opportunistic threat actors in the digital domain who can quickly change their tactics and adjust their methods to tailor attacks against our company and our customers. Criminal actors with financial motives continue to exploit the opportunities that lie in societal changes and technological development. They increasingly customise their attacks on our company and our customers, and they employ new technological methods to streamline their attacks.
Increasing instability in supply chains
The increased geopolitical turbulence can also lead to supply chain disruptions, resulting in greater supplier complexity or requiring immediate replacement of subcontractors. This can lead to instability, thereby increasing associated security risks. The level of conflict is also increasing in the Middle East and parts of Asia. Regional conflicts can quickly affect security of supply. This can affect access to specialised technology, in the form of availability of goods on ongoing contracts in other parts of the world,and it can increase delivery times due to trade routes disruptions and delays. A steady and resilient supply chain is becoming both more difficult, and more important, to maintain.
Disguising attacks as human error
Security-threatening incidents that are designed to appear as forgivable errors - for example, sabotage that is designed to look like a failure of equipment with an unknown cause - are expected to become more common in the future. This trend is increasingly seen in Europe, often related to critical infrastructure. Europe has in recent years experienced several suspicious incidents involving physical sabotage of critical infrastructure. This included the sabotage of communication cables in Germany in 2022, resulting in major train disruptions, and in France in 2024 when fibre optic cables were sabotaged in parts of the country,causing significant disruptions. These actions are often seen as warnings or retaliation against countries that support Ukraine. Infrastructure such as pipelines and subsea cables are particularly vulnerable to physical sabotage, and we have witnessed state actors that are willing to carry out such operations to destabilise the region and send political signals to the West.
No one is actually untouchable
In early 2024, Ukraine issued an ominous warning to the West: “No one is actually untouchable. ”The head of the country’s cyber-security department revealed that Russian hackers brought down the country’s telecoms giant Kyivstar in December, causing more than 24.3 million customers to lose phone reception. The attack was attributed to Sandworm, a Russian military intelligence cyber warfare unit, which had been lurking in the system for several months undetected, Ukrainian officials said.
Sources: Timeline: POLITICO (Timeline: Europe under cyber siege in 2024 & Ukraine says Russian hackers penetrated major telecoms network for months).
Outlier events indicate potential security threats
To identify hybrid threats, it is important to monitor activity outside the norm, especially in relation to frequency and consequence. This is particularly important in Telenor’s northern- and eastern-most regions.
We are also closely monitoring any changes in normal day-to-day operations. By benchmarking changes against what is typical, we can identify peculiarities and outliers that may indicate threatening changes in the security environment. Since many of our customers and suppliers are dispersed across the Nordics and play very important roles in critical functions, detecting these changes is key to ensuring the security and resilience of our operations.
Increased vulnerability in the Nordics
The Nordic region has become increasingly vulnerable with war in its vicinity and active support of Ukraine. The increased Nordic contribution, both financially and with ready-to-use equipment for Ukraine, has increased the threat profile for the region.
This has positioned us as a target for more severe and destructive cyber-attacks, both by nation state hackers, as well as rogue groups, that sympathise with Russia. The increased pressure has prompted Telenor Nordics to prioritise certain security efforts, at an increased pace.
Further escalation of the security situation in Europe will likely increase the threat of destructive sabotage, whether physical or logical, that could directly or indirectly affect Telenor. We must address this uncertainty with robust systems, effective detection and a contingency mindset.
Military and political signalling are foreign policy means of pressure where the threat actor hints at their capabilities and carries out actions to imply an unspoken threat. This strategy is also used to create fear and uncertainty with the aim of influencing political decision-making, and public opinion without having to use military means in such a way that it can trigger war. It is more likely that Telenor will be (directly or indirectly) affected by security incidents by state actors in the current situation than earlier years. This is why we continuously emphasise Nordic co-operation and collaboration within security and operations.
Russia-linked cyber actors have increasingly carried out targeted attacks against European infrastructure since the war in Ukraine began. According to the EU-NATO Task Force on the Resilience of Critical Infrastructure, Russia has demonstrated that it sees critical infrastructure as a target through its actions in Ukraine. The Task Force also states that Russia is mapping critical infrastructure in the Euro-Atlantic as potential targets. The attacks that are focused on critical infrastructure and public institutions often have a stronger political dimension than before. When Distributed Denial of Service (DDoS) attacks are used, they are often executed by so-called “hacktivists”. Such coordinated DDoS attacks have also been seen in the Nordic countries, often associated with activity or political decisions that Russia opposes. Other targets have included companies that actively contribute to supporting Ukraine in the war.
Europe has in recent years experienced several suspicious incidents involving physical sabotage of critical infrastructure.
The strategically important North and East
For Telenor, it is necessary to evaluate the different regions in the Nordics in terms of inherent geographical risk. Although we largely rely on the comprehensive and national backdrops presented by the Nordic intelligence and security services in their annual unclassified threat assessments, we also see a need to take a closer look at our most vulnerable regions: the High North and the Baltic Sea area.
For us in Telenor Nordics, it is extremely important to be observant of local conditions that can impact the services we provide. Given the current security situation and the authorities’ warning about which sectors of society most at risk, we are especially focused on our customers in the High North and Baltic Sea areas. These regions are subject to different aspects of Russian interaction, requiring heightened vigilance.
Telenor Nordics has an active presence in Arctic regions. Operating a reliable service in the North is not only important for our customers, but an important part of Telenor’s social responsibility. In practice, we need to assess security, preparedness,and threat analysis - with a special focus on the northern regions of Norway (including Svalbard, Jan Mayen and Bjørnøya), Northern Sweden and Finland. The security situation here is more closely linked to events in Russia than in any other region in which we operate. This is a daily reality for our companies, and it’s also the feedback we receive in our dialogue with local authorities.
In Svalbard, Telenor is in a unique position as one of the largest, most important and longest-established companies. Telenor’s position and operations in Svalbard is likely of great interest to other countries that also have a presence here or wish to establish themselves in the region. Finland’s long border with Russia brings unique challenges for critical infrastructure. For example,Northern Lapland and Åland are subject to special risk management and threat assessments due to their geographical location. For all our northern regions, we consider that Telenor’s activity will be of greater interest to foreign states than before. This is likely to result in increased intelligence pressure – especially from Russian and Chinese actors.
The Arctic areas not only have climate conditions that require particularly robust services and follow-up, but they also have greater potential for sensing security policy tensions, which demands extra vigilance. At a time when infrastructure in Europe is under a higher threat level than before, with Russia, in particular,considered to pose a hybrid threat, we are closely examining our critical infrastructure and how it is linked to other critical infrastructure. The interdependencies between different parts of critical infrastructure require thorough preparedness.
Both Russia and (increasingly) China are important players in the High North. Their presence underscores the need for heightened security measures and continuous monitoring to protect our interests and maintain the integrity of our operations in this strategically significant region.
Climate change is causing the ice to melt faster, opening new sea routes. An increase in both military and civilian traffic in the High North enhances its strategic importance, especially for a country like Russia. An increased military presence from both allied states and Russia means that this area has the potential to become even more tense from a security perspective.
The Baltic Sea area is another area where Telenor operates, and where we pay close attention to the developing security situation, especially following the Russian invasion of Ukraine. This area has experienced several security incidents targeting transnational communications cables,as well as oil and gas pipelines. Subsea infrastructure, vital for communications between countries, is increasingly vulnerable to sabotage and other security threats.
While the geographical footprint of Denmark is relatively small,our eastern-most borders in the Baltic Sea is cause for caution since the NordStream2 incident in 2022. There are several communications cables connecting Denmark, Sweden, and Germany that are at risk, highlighting the need for well-defined contingency plans.
The focus of Nordic governments and NATO on critical cables has increased, and special attention is now paid to the resilience of transnational cable connections connecting and expanding from the Nordics. This increased vigilance and collaborative effort aims to enhance the security and reliability of these vital communication connections.
The top 7 changes we see in cyber-security
1) Blurring the lines between state and non-state actors
The distinction between what is state actor and what is non-state actor is becoming less clear – as state actors use non-state actors to hide their association with malicious acts, and because methods are shared between them. This means that we can no longer confidently predict which methods will be used against us based on which players we believe are of interest to Telenor. Nevertheless, we can make several generalisations that are relevant to security thinking in the cyber domain. The threat actors that are active or may conceivably be active against companies such as Telenor may be interested in everything from creating disruptions to targeted intelligence gathering, including reconnaissance of networks for possible destructive attacks.
2) Rise of cybercrime for profit
We see an increase in attempts to defraud Telenor Nordics and our customers. This trend is closely tied to technological development. The development of digitalised threats has accelerated sharply, making cybercrime more prevalent and sophisticated. Technological progress and professionalisation of cybercrime have made it easier for threat actors to access and utilise advanced tools and techniques. Previously, attackers needed their own technological expertise to carry out attacks. Now, they can more readily buy this as services from professional criminals. This shift has significantly broadened the scope and impact of cyber threats.
3) Evolving ransomware threats
Ransomware continues to be a significant threat to all businesses. This development requires a strengthened response from businesses through advanced detection and recovery systems and strengthened internal (and possibly external) preparedness. These attacks are happening faster than ever, and the ability to detect, report, and deal with them is more important than ever. Previously, ransomware primarily involved encrypting networks to demand a ransom. Now we also see this is combined with threats to sell the encrypted information. It is important to emphasize that paying a ransom does is not guarantee the safe return of the information or the integrity of data. Therefore, businesses must prioritise robust security measures and incident response plans to mitigate these risks effectively.
4) Increase in social engineering attacks
As with many other forms of security threats, we are also seeing an increasing use of targeted attempts at social engineering to gain an initial foothold. We have less and less time to detect and respond to digital attacks, hence much of the preventive work lies in a good security culture in all parts of the company. At Telenor, this is something we work on actively every day to ensure that all employees are aware of and prepared for potential security threats. Social engineering has enabled threat actors in other parts of the world to acquire legitimate identification to log on to networks and carry out significant ransomware attacks. Such login is more difficult to detect, as it requires recognising abnormal behaviour or traffic in the network. Reliance on malware detection alone is no longer sufficient. Awareness campaigns and strong protection and verification of identity at login are particularly important. A compromised login method that grants access to networks can cause great damage.
5) The evolution of phishing and spearphishing
To gain access to a foreign network, we also see that threat actors continue to use phishing or spearphishing (targeted phishing). Phishing as a method is constantly evolving and will likely continue to be adjusted to bypass changing security recommendations. We are observing a variety of methods, with some of the latest including the use of QR codes in targeted email and using iMessage for attacks. Moreover, phishing attacks are increasingly incorporating elements like social media impersonation and deepfake technology to deceive targets more effectively. Attackers may create fake social media profiles to build trust before launching phishing attacks or use deepfake audio and video to impersonate trusted individuals. These developments make it even more crucial for organisations to not only focus on technological defences but also to foster a strong security culture where employees are vigilant and aware of these sophisticated tactics.
6) Threats to cloud infrastructure
As the adoption of cloud services continues to accelerate, cloud infrastructure has become an increasingly attractive target for threat actors. These adversaries often exploit “legitimate entrances” such as compromised credentials, misconfigured settings, or vulnerabilities within third-party applications to infiltrate and manoeuvre within cloud platforms. This makes it challenging to detect security breaches and underlines the need for strengthened network monitoring and response strategies specifically adapted to cloud technologies.
7) State actors and advanced techniques
To the extent possible, state actors and their proxies use the same methods as other actors to access (steal and/or encrypt) information or to make systems unavailable. State actors use their advanced methods such as zero-day vulnerabilities, which are unknown software vulnerabilities that allow attackers to bypass existing security measures undetected. However, using zero-day carries the risk that these will be revealed and neutralised. For us, it matters less who is behind the attack. Whether it is a state actor or a rogue group, we must be able to handle it regardless.
A constant eye on the threat picture
Continuous prioritisation and updating of which threats currently used in the cyber domain is important to have relevant protection.
Reducing reliance on outdated systems that no longer receive updates and ensuring rapid patching of vulnerabilities are essential strategies.
A reminder of this occurred in the summer of 2024, when a faulty software update from CrowdStrike led to a global IT outage. This incident affected over 8.5 million devices, grounded thousands of flights, disrupted hospital systems, and knocked banks and media outlets offline. The widespread chaos underscored how critical it is to keep systems updated and patched to mitigate such vulnerabilities and prevent significant disruptions.
A proactive approach helps mitigate risks and ensures that our security measures remain effective against evolving threats.
On the lookout for indicators of mapping
Indicators are the “tracks” we follow to come to the right conclusion in our security work. Assessing safety reports and analysing what this says about a situation is important. When we in Telenor detect indicators that someone is mapping our business, it is taken very seriously. Mapping activities can involve actions such as taking pictures of an installation or suspiciously contacting employees. The indicators can appear both in the digital and physical domains. Since mapping has no immediate harmful effect, there is a risk that it will be overlooked and downgraded in favour of more immediate needs. However, recognising and responding to these indicators is essential for maintaining security. Mapping is often among the first steps a threat actor takes before further action.
While mapping does not automatically mean a malicious act will be carried out, it can suggest that someone is planning or creating the impression that such actions are possible. Threat actors might engage in repeated mapping to gather information for potential future use, giving them the ability to strike when desired. Indicators of mapping, whether in the physical or digital domain, must be taken seriously. Mapping is done for a reason, and can provide valuable insight into how to manage security work. Although some mapping may be done to disturb or draw attention elsewhere, its occurrence indicates potential interest from a threat actor. Given the current security situation, it is important to take mapping indicators very seriously.
Raising awareness among employees, customers, and suppliers is important in order to receive reports of “suspicious incidents” and to be able to identify whether mapping is in progress.
Raising awareness among employees, customers, and suppliers is important in order to receive reports of ’suspicious incidents’.
Preparedness has never been more critical than right now
Protection of critical infrastructure will always be essential for a society to function optimally, as is preparedness for situations in which society is under pressure. This helps businesses become more resilient to complex threats.
Contingency planning is an absolute necessity in today’s environment where hybrid threats are high on the agenda. This is not only something that companies should do, but also something that all employees should think through.
Reflect on these questions: Do you know what to do if your company is exposed to a ransomware attack tomorrow?
Do you know what to do if critical services go down? Where do you meetup? What is your role?
At Telenor, we are constantly working on these issues to ensure that the communication solutions we deliver will be available and reliable over time. We are also looking at how we will operate if those who provide services to us are no longer able to do so.
As an operator of critical infrastructure and provider of services critical to society, we see our business continuity as an imperative. By maintaining a robust approach to both infrastructure protection and individual preparedness, we aim to ensure that our organisation, customers, and society at large can withstand and quickly recover from any disruptions or threats.
