Casting Aluminium at Norsk HydroNorsk Hydro, one of the largest aluminium producers in the world has been hit by a ransomware attack. The attack has forced the company to isolate all of its global businesses, shutting down the IT systems of some of them. Staff are reverting to manual processes in order to continue working. Despite this, the company insists there is are no safety concerns at the moment.

In a press conference on Tuesday, Eivind Kallevik, Chief Financial Officer said: “Let me be clear, the situation for Hydro through this is quite severe. The entire worldwide network is down affecting our production as well as our office operations. We are working hard to contain and solve this situation and to ensure safety and security of our employees. Our main priority now is to ensure safe operations and limit the operational and financial impact.

What happened and what is Norsk Hydro doing?

At midnight Norwegian time on Monday, the Norsk IT team spotted unusual activity on the network. An investigation identified a cyber attack and the discovery of ransomware on company servers and other computers. Norsk responded by shutting down infected systems and isolating its business units to prevent any spread of the virus. It believes that the virus is contained and that the other sites are safe, for now.

Eivind Kallevik, Chief Financial Officer, Norsk Hydro
Eivind Kallevik, Chief Financial Officer, Norsk Hydro

To keep the business running, Norsk went back to manual processes. Kallevik said the company was still using these just a few years ago. This meant that there was sufficient knowledge and skill through the business to quickly move from automated to manual.

Norsk reported the incident to the Norwegian National Security Authority (NSM). They are providing technical assistance to Norsk to help resolve the incident. It has also brought in an external security company to help with the recovery of its systems.

When asked in the press conference if the ransomware was LockerGoga, which recently hit French engineering company Altran, Kallevik said it was: “..one of the theories.” He also said that no ransom figure had been demanded and avoided questions as to whether the company would pay any ransom.

When asked how the company planned to deal with this Kallevik said: “We have good backup solutions and good routines for that. That is the main target to get back to normal. Reinstall the data from the last backup. (The) Main strategy is to use the backup data.

Norsk Hydro is also using its Facebook page as its main communication channel during this situation. It’s a smart move. It can post updates from any device and the attackers will not be able to block it.

What do we know about LockerGoGa?

LockerGoga is a ransomware attack that appears to have been unknown before the attack against Altran. There is no accurate claim or attribution of the group or individual behind it. It appears to have two modes of attack. The first is to encrypt common work files such as all Microsoft Office extensions and PDFs. The second is to encrypt all files. Files that have been encrypted have .LOCKED appended to the filename.

It also deploys anti-analysis techniques to prevent detection. One of these is detecting attempts to install it inside a virtual machine. Another is self-deletion to prevent copies being collected for investigation.

Kevin Beaumont
Kevin Beaumont

The announcement of LockerGoga as the ransomware has created speculation of how the attack occurred. Various commentators have suggested it has replicated itself across the network. Not so, according to UK security researcher Kevin Beaumont. He has previously investigated LockerGoGa and says: “..it does not self spread. It has to be deployed on systems (eg via Group Policy).”

A blog from the Nozomi Networks Labs team on Security Boulevard describes a possible attack scenario. This has apparently been confirmed by NorCERT.

  • The threat actors were able to infect a system that was registered in the Domain Admin Group of the target organization
  • The malicious executable was placed in the Netlogon directory so that it could be automatically propagated to every Domain Controller
  • Many firewalls accept Active Directory information by default

Norsk Hydro shows how to respond when under attack

It is all too common for organisations to start by denying an attack in order to buy time to assess the implications. Norsk Hydro threw that playbook out of the window. It is using its Facebook channel as the main communication channel with customers, media and interested parties. This means posting regular updates about what is happening and the impact of the attack.

It also created a live stream press event where Kallevik outlined the attack and what was being done. Also at the press event was a representative from the NSM although they looked less than comfortable.

With the exception of the question over paying the ransom, Kallevik looked composed and answered everything. Such a performance is rare when a cyber attack hits an organisation. The first 24 hours are often marked with silence or panic. Both result in misinformation and create more problems for the organisation.

The speed with which Norsk Hydro isolated its different businesses to stop any potential spread of the virus is impressive. It also acted quickly to bring in external support including the NSM. All of this shows a willingness to get ahead of this problem and an effective incident response plan. For those organisations who haven’t practiced their incident response plans, this is how to do it.

Enterprise Times: What does this mean?

Dealing with a major incident of this type often overwhelms organisations. IT and security teams end up firefighting rather than problem solving. Management and communications teams often disconnect and either go radio silent or say what they think people want to hear. In this sense, Norsk Hydro is the new exemplar of major cyber incident response.

What we now have to see if how the investigation plays out. Will the backups be sufficient to get the company back up and running? It will also want to know how the attack started. Was it a compromised user account or an unpatched vulnerability? How did the attackers get their code spread across the business? Was it through an attack on the Group Policy replication service as has been suggested?

The other big question is will this have a longer term impact on its business? Last year it saw a significant recovery in its share price and business. It will hope that this doesn’t cause a significant hit in that recovery. That said, by the end of the day, the share price recovered to be less than 2% down. This was no doubt down to the assurance from Kallevik that plants were operating and orders would be met.

LEAVE A REPLY

Please enter your comment!
Please enter your name here