Lørenskog kommune Data Breach

Alleged

Ransomware claim involving Lørenskog kommune.

Published: Jun 29, 2026 CmdOrganization
Threat Level
High
Confidence: High

Quick Summary

Company
Lørenskog kommune
Industry
Business Services
Threat Actor
CmdOrganization
Date of Incident
Jun 29, 2026
Status
Alleged

Executive Summary

Lørenskog kommune, a public sector organization in Norway, was listed on the CmdOrganization ransomware group’s dark web portal on June 29, 2026. This listing was detected by SOCRadar’s Dark Web Monitoring service. Municipal authorities are frequent targets for ransomware groups due to the sensitive citizen data they handle and the critical services they provide. Notably, Lørenskog kommune stands out as one of CmdOrganization’s few victims located outside the United States and not in the healthcare sector. Over the 60 days preceding this listing, CmdOrganization claimed 27 other victims, predominantly in the United States, with a smaller number in the UK and India. The group’s focus has largely been on the healthcare sector, followed by business and consumer services. Lørenskog kommune represents an outlier from the group’s typical victim profile.

Technical Analysis

SOCRadar’s stealer-log telemetry revealed a significant exposure related to the lorenskog.kommune.no domain. Sampled data contained approximately eight entries linking municipal email accounts to the organization’s internal Active Directory Federation Services (ADFS) gateway and Microsoft cloud sign-in. Additional records showed these users on third-party services like Visma and NAV, alongside numerous consumer-style logins for public municipal portals. The overlap between internal SSO and external services suggests a potential compromise through a single employee workstation. The exposure window is recent, ranging from February to late June 2026, indicating active credential harvesting. The analysis suggests that infostealer-harvested credentials are a common initial access vector for ransomware groups like CmdOrganization. Threat actors often acquire these credentials from underground marketplaces, validate them, and use them to gain access to systems such as Microsoft 365, VPNs, or remote access portals before deploying ransomware. While this specific evidence does not definitively confirm CmdOrganization’s direct use of these credentials, the pattern of recent corporate logins via ADFS and Microsoft cloud identity, likely from an infected endpoint, aligns with the typical kill chain for such incidents. Recommended actions include forcing password resets for affected accounts, monitoring for anomalous ADFS and Microsoft Entra ID sign-ins, and isolating implicated endpoints.

Is Your Organization Exposed on the Dark Web?

Enter your company domain to get a free dark web exposure report instantly.