Norsk Hydro cyber attack: What happened?

“Hydro subject to cyber-attack,” warned Oslo-headquartered Norsk Hydro ASA, one of the world’s biggest aluminum producers, on Tuesday.

Norsk Hydro cyber attack

“Hydro has isolated all plants and operations and is switching to manual operations and procedures as far as possible. Hydro’s main priority is to continue to ensure safe operations and limit operational and financial impact. The problem has not led to any safety-related incidents,” the company added.

In the most recent update on the situation, published an hour ago, the company shared that it “has succeeded in detecting the root cause of the problems and is currently working to validate the plan and process to restart the company’s IT systems in a safe and sound manner.”

Several of its plants suffered production challenges and temporary stoppage because of a lack of ability to connect to the production systems, but most operations are running, the company noted, “with some more manual operations than normal.”

According to the company’s CFO Eivind Kallevik, the “root of the problem” is ransomware and the Norwegian National Security Authority confirmed the ransomware in question is LockerGoga.

NorCERT sent out warnings to other Norwegian organizations, in which they shared that the the attack on Hydro was combined with an attack against its Active Directory (AD). “The hackers reportedly used both the ransom virus, blocking access to all information on a computer, while also attacking Hydro’s user- and log-in systems,” News in English reported.

The company’s plan is not to pay the ransom – Kallevik told Reuters they have good back-up systems and plans on how to restore the encrypted data.

Industry comments and insight

“All available information at present suggests the Norsk Hydro event used a type of malware incapable of spreading on its own. Instead, similar to the Ryuk events in 2018, the adversary needed to penetrate the network and establish an alternate means of seeding it with ransomware to deliver an impact. As best we can tell now, it appears the adversary likely compromised Active Directory at Norsk to use legitimate means to spread the ransomware widely and quickly. As a result, this event requires more adversary interaction and dedication than self-propagating worms such as WannaCry and NotPetya, and appears more targeted in nature. Finally, no samples of the ransomware indicate use or exploitation of vulnerabilities, so precise Windows versions and patching appears irrelevant in this case,” Joe Slowik, Principal Adversary Hunter at Dragos, told Help Net Security.

Adam Meyers, VP Intelligence at CrowdStrike, noted that the same ransomware was used against the French engineering company Altran.

“In that instance, Altran was forced to shut down their IT network because of the attack. While details of the Norsk Hydro incident are still developing, CrowdStrike Intelligence has been able to identify a new sample of the LockerGoga ransomware that was uploaded to a public malware repository in two ZIP files from an IP address based in Oslo, Norway,” he added.

Josh Mayfield, Director of Security Strategy at Absolute, says that the troublesome thing about LockerGoga is the simplicity of the processes it performs, where it looks, which kinds of data it seeks, and so on.

“LockerGoga is also relatively new, having been first confirmed in January 2019. The simplicity of its processes doesn’t trigger your typical anti-virus or anti-malware detectors. And because of its sudden advent, anti-virus and anti-malware vendors were slow to pick it up. In addition, the fact that 22% of devices meant to have anti-virus/anti-malware tools are, in fact, missing such tools,” he added.

Justin Warner, Director of Applied Threat Research at Gigamon, advised against drawing conclusions based on partial evidence and rushing to attribute activity or assume intentions in the early stages of disclosure.

“All too often, this type of activity simply results in larger confusion and unproductive conversation,” he told Help Net Security.

Piers Wilson, Head of Product Management at Huntsman Security, pointed out that the attack could potentially affect resource production in Norway, Qatar and Brazil – meaning the attackers have been able to cause maximum disruption on a global scale for, potentially relatively little effort.

“Large scale cyber-attacks have not been widely reported previously in Norway, additionally attacks on the manufacturing sector have been limited. This attack could certainly impact the onward supply chain,” noted Matt Middleton-Leal, Netwrix’s General Manager EMEA and APAC, and added that the impact of this attack may not be felt fully for some time to come.

“It is also worth pointing out that when an organisation has to revert to manual operations it typically means they have a breakdown in digital trust. If this is the case, as seen in several other high-profile ‘golden ticket’, type attacks the mean time for recovery could be very long as you are required to rebuild your entire IT backbone. However, at this stage this is entirely speculation,” he concluded.

Terry Ray, SVP and Imperva Fellow, pointed out that Hydro’s next steps will be critical in determining the extent of impact this attack has on the company’s databases, files and cloud applications.

“The company should focus primarily on identifying and quarantining impacted users, devices and systems so as to control the data breach proactively. Having a strategy that takes into account what happens when a cyberattack occurs, whether it’s ransomware or another method, is essential to resiliency, especially in industries where information is critical and downtime can have significant global impact,” he told Help Net Security.

“Attacks such as this one bring to light the importance of protecting your data. Organizations – no matter the size or industry – should have robust technology solutions in place that are able to sense ransomware file access and curb potential attacks before they take place, so access and downtime can be limited. Furthermore, all businesses should consider that most attacks are not targeted at a single business, but are instead crimes of opportunity and as such, can happen to anyone.”

Tim Mackey, Senior Technical Evangelist at Synopsys, noted that the fact that Hydro is shutting down operations at some of their plants implies those plants had control system access from the internet or from computers connected to the internet.

“Minimally, this attack provides a lesson in the value of both network segmentation and ensuring that threat models are created, assuming the threat comes from an internal source. With increasingly sophisticated attacks, organizations must assume attackers could compromise internal systems as easily as they might attempt to breach a firewall into a production system,” he added.

UPDATE: Thursday, March 21 – 11:22 AM PT

We added a comment from Joe Slowik and removed comments from Bugcrowd and CyberX since they were flagged as inaccurate.

Don't miss