DOCUMENTING HYBRID WARFARE / — incidents / UPDATED LATEST: 
Sabotage Watch SABOTAGEWATCHHybrid Threat Monitor
Cyber

Bremanger dam sabotage (Norway) – digital manipulation

07 April 2025 · Bremanger, Norway
Satellite Imagery © Esri

What happened

On 07 April 2025 unauthorized actors gained remote access to the control system of a water facility at the Risevatnet dam in Bremanger, Vestland, Norway. The intruders manipulated a valve, opening it to full capacity and releasing water for roughly four hours before the activity was noticed and stopped. According to Wikipedia, the discharge ran at around 500 litres per second, well below the dam's flood capacity of about 20,000 litres per second, so the manipulation caused no flooding, physical damage, or injuries.

Norwegian authorities were alerted in the days that followed, and the case was investigated by the criminal police (Kripos) together with the Police Security Service (PST). Investigators reported that the intrusion was enabled by a weak password on a web-accessible control interface, an exposure that let the attackers reach operational technology directly over the internet. A short video of the manipulation, watermarked with the name of a pro-Russian group, was reportedly posted to Telegram on the day of the attack.

The incident was disclosed publicly in spring and summer 2025. In August 2025, PST chief Beate Gangas linked the case to a broader pattern of hybrid activity, stating that the aim of such operations is to influence and to cause fear and chaos among the general population. As reported by newsinenglish.no, the Russian embassy in Oslo rejected the accusations as unfounded and politically motivated, saying no evidence had been provided.

Assessment

The intrusion and valve manipulation are well documented, and Norwegian officials publicly attribute the case to pro-Russian actors within the wider context of hybrid threats against NATO states. That attribution is assessed, not conclusively proven: authorities have not named a specific state-directed group, the technical vector was an exposed control system protected by a weak password, and a self-publicizing pro-Russian group claimed the act on Telegram. Treat the Russia link as a credible suspicion rather than an established fact, consistent with PST's framing of the episode as psychological and infrastructure-probing activity.

This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.