The Bremanger Dam Attack: A Hack That Wasn’t Supposed to Happen in 2025

One year ago today, April 7, 2025, pro-Russian hackers took remote control of the Risevatnet dam in Bremanger, western Norway. They opened a floodgate and let 500 liters of water per second pour out for four straight hours. That’s roughly 7.2 million liters, or enough to fill three Olympic-sized swimming pools. No one was hurt. No homes flooded. But the message was crystal clear: “We can reach out and touch your critical infrastructure whenever we want.”

Norwegian authorities initially treated it like a malfunction. By August 2025, the Police Security Service (PST) formally attributed it to Russia and called it exactly what it was: a demonstration of hybrid warfare designed to sow fear and prove capability.

Here’s what actually happened, straight from the investigation: the attackers never needed zero-days, ransomware, or nation-state malware. They logged into a publicly accessible web-based Human-Machine Interface (HMI) controller using a weak (possibly default) password. From there, they had full command of the valve. Four hours later, operators noticed and shut it down.

The Anatomy of the Hack: Low Tech, High Stakes

The attackers didn't need a million-dollar malware suite. They used a weapon that’s been around since the dawn of the internet: a weak password.

The Discovery: The dam’s Human-Machine Interface (HMI) was directly connected to the public internet. It was sitting there, exposed, like a front door with a neon "Open" sign.

The Entry: Using basic credential harvesting, the attackers guessed the password. There was no MFA. No biometric check. Just a simple string of characters standing between a hacktivist and a floodgate.

The Payload: They didn't steal data. They didn't encrypt files. They simply clicked "Open." For four hours, the sluice gate stayed at 100% capacity.

The hackers were so proud of how easy it was that they posted a video of the HMI control panel to Telegram, watermarked with their logo. It was a digital middle finger to the entire concept of "Industrial Cybersecurity."

This wasn’t sophisticated. It was troubling.

At BlastWave, we track these incidents obsessively because our entire mission is to make exactly this kind of attack hopeless. That’s why we built Hackopedia, our living library of 23+ real-world OT and critical-infrastructure breaches that actually caused (or came dangerously close to causing) physical disruption. Bremanger is now officially in the collection, and it’s one of the cleanest case studies we’ve ever seen of “death by basic hygiene failure.”

If you haven’t checked Hackopedia yet (it’s free at hackopedia.blastwave.com), do it. Every entry includes the exact kill chain, the root cause, and (most importantly!) the prevention architecture that would have stopped it in its tracks.

How This Attack Could (and Should) Have Been Prevented

1. Stop exposing OT HMIs to the internet.‍
   Period. Full stop. The HMI was reachable from anywhere because someone thought “it’s just a monitoring panel” or “we need remote access for maintenance.” Hackopedia shows this pattern again and again. Our BlastShield platform creates an invisible overlay that makes those systems unreachable from the public internet while still allowing authorized users to connect securely. No VPNs. No exposed ports. Just gone.

2. Kill passwords with Zero Trust Secure Remote Access.‍
   Weak or default credentials are the #1 entry point in more than half the cases we document. BlastWave’s passwordless industrial MFA (built specifically for OT environments) makes credential theft irrelevant. Even if an attacker has the password, they still can’t log in. We call it “Secure by Design and Screwed by Default.”

3. Segment and monitor like your physical safety depends on it (Because it does!)‍
   Once inside the HMI, the attackers had free rein of the OT network (even if they didn’t take advantage of it). Proper IEC 62443-style zoning and conduits, combined with continuous behavioral monitoring, would have flagged the valve command as anomalous within seconds. Our customers see those alerts in real time and can auto-quarantine before anything moves.

4. Treat legacy OT like the high-value asset it is.‍
   Most dams, water plants, and factories still run 15- to 30-year-old controllers. You can’t patch them easily, but you *can* wrap them in a zero-trust fabric that doesn’t require rip-and-replace. That’s literally what BlastShield was engineered to do.

The Bremanger attackers didn’t break encryption or defeat advanced defenses. They walked through an open door that never should have existed. And that’s the part that keeps me up at night, because the same open doors exist in thousands of facilities right now, in the U.S., Europe, and beyond.

We built Hackopedia not to scare people, but to give operators and CISOs a single place to see the pattern and the fix. Every incident ends the same way in our analysis: the breach was preventable with basic, mature controls applied consistently.

If you run critical infrastructure: water, energy, manufacturing, transportation, do yourself and your community a favor. Go to hackopedia.blastwave.com, pull up the Bremanger entry, and ask one question: “Are we any different?”

The answer should never be “yes” again.

We’re here when you’re ready to make the next attack impossible. Drop us a note or book a 30-minute demo. The tools exist. The only question left is whether we’ll use them before the next demonstration.

Register for our webinar on April 15th, where we will add another challenge for OT CISOs to consider: how AI is being used in indirect ways to target your OT network: https://www.blastwave.com/webinar/ai-in-the-ot-battlefield

‍