Norsk Hydro cyber attack: What’s new?

Norwegian aluminum producer Norsk Hydro ASA was hit by ransomware-wielding attackers early this week.

Norsk Hydro attack

The company lost no time in reacting and responding to the attack – they notified the authorities, called in experts to help, and (very laudably) committed to keeping the public informed.

In the latest official update on the situation, the company shared that:

  • With the help of experts from Microsoft and other IT security partners, they are working on reverting virus infected systems back to a pre-infected state and on systematically restoring business critical IT-based functions.
  • There have been no reported safety incidents as a result of the cyber attack, and most operations are running either as normal or close to it, with the exception of Extruded Solutions, which is currently running at approximately 50 percent of normal capacity. “Progress has been made, with restart of some plants as well as utilizing stock to keep delivering to customers,” they reassured.
  • The Norway’s National Investigation Service (Kripos) has opened an investigation.
  • They still don’t know how long it might take to restore stable IT operations.

The company has yet to name the ransomware that hit them, but the Norwegian National Security Authority says it’s LockerGoga. It’s ultimate destructiveness depends on the version.

“All available information at present suggests the Norsk Hydro event used a type of malware incapable of spreading on its own. Instead, similar to the Ryuk events in 2018, the adversary needed to penetrate the network and establish an alternate means of seeding it with ransomware to deliver an impact,” Joe Slowik, Principal Adversary Hunter at Dragos, told Help Net Security.

“As best we can tell now, it appears the adversary likely compromised Active Directory at Norsk to use legitimate means to spread the ransomware widely and quickly. As a result, this event requires more adversary interaction and dedication than self-propagating worms such as WannaCry and NotPetya, and appears more targeted in nature. Finally, no samples of the ransomware indicate use or exploitation of vulnerabilities, so precise Windows versions and patching appears irrelevant in this case.”

The company confirmed that no ransom has been paid to the attackers and that they have cyber insurance.

“Hydro is involved in all parts of the aluminum manufacturing process, from refining to manufacturing of products used in construction and industry,” says Brandon Workentin, and ICS security engineer with Forescout.

“Hydro has been forced to switch to manual operations at many sites although some locations, such as their hydroelectric dams, have been able to continue to function, as they were apparently not connected to the main corporate networks which were affected by the ransomware attack. Hydro said that aluminum plants in South America and the Middle East were not affected by the ransomware attack.”

“[There are] lessons which other companies can take from an event like this,” he added. “A ransomware attack such as LockerGoga is traditionally an IT event. The people who run industrial control systems have not traditionally needed to address these types of IT problems. However, as plants become more interconnected, IT and ICS can no longer be looked at as two separate domains.”