Norsk Hydro suffers ransomware attack; switches to manual ops
News / Aluminium giant Norsk Hydro suffers ransomware attack; switches to manual ops
19 March 2019
Norsk Hydro, one of the largest aluminium companies worldwide, today announced that it has suffered “an extensive cyber-attack” that forced it to switch to manual operations and take urgent steps to contain and neutralise the cyber attack.
The aluminium and renewable energy company, which has operations in over 50 countries, said that the cyber attack started on late Monday evening and it is too early to describe the full extent of the damage caused by the cyber attack.
“Hydro became victim of an extensive cyber-attack in the early hours of Tuesday (CET), impacting operations in several of the company’s business areas. IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible. Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation,” the company said in a statement.
Commenting on the announcement made by Norsk Hydro, Piers Wilson, Head of Product Management at Huntsman Security, said that the cyber attack could potentially affect resource production in Norway, Qatar and Brazil – meaning the attackers have been able to cause maximum disruption on a global scale for, potentially relatively little effort.
Pete Banham, cyber resilience expert at Mimecast, said that since critical infrastructure operators are often on the top of attackers target list, minimising the effect cyber threats have across the whole organisation must be a priority as a successful cyber attack can result in damaged reputation, a fall in share price and financial loss.
“Organisations and governments must look to proactively analyse their business critical infrastructure for weaknesses and identify gaps for improvement. It is about adopting a cyber resiliency mindset that looks at new methods of prevention and a recovery plan that will help restore the business back to operation in the event of a successful attack,” he added.
Hackers used LockerGoga ransomware to lock Norsk Hydro’s IT systems
According to NorCERT (Norway’s National Cyber Security Centre), the extensive cyber attack was, in fact, a ransomware attack as hackers have demanded ransom from Norsk Hydro to unlock their IT systems. “NorCERT warns that Hydro is exposed to a LockerGoga attack. The attack was combined with an attack on Active Directory (AD). NorCERT asks for information about others affected by similar events. NorCERT assists Hydro and the incident is considered ongoing”, it said.
“NOR-CERT is publicly reporting the malware responsible is LockerGaga, which was recently in the news for an attack against an Engineering firm. The description of the attack from NOR-CERT so far sounds like the attackers manually deployed the malware after gaining access to the networks. The take-down of a number of different geographic locations is reminiscent of the kind of damage seen in incidents like NotPetya,” said Chris Doman, security researcher at AT&T Cybersecurity.
“Given they are shutting down operations at some of their plants implies those plants had control system access from the internet or from computers connected to the internet. Minimally, this attack provides a lesson in the value of both network segmentation and ensuring that threat models are created, assuming the threat comes from an internal source,” said Tim Mackey, senior technical evangelist at Synopsys.
Most business areas impacted by the ransomware attack
As per Norsk Hydro’s latest post on Facebook, the company has isolated all plants and operations and is switching to manual operations and procedures as far as possible, even though the inability of the company to connect to the production systems is causing production challenges and temporary stoppage at several plants.
“The attack has impacted operations in several of the company’s business areas globally. IT systems in most business areas are impacted and Hydro is switching to manual operations where possible. Hydro’s power plants are running normally on isolated IT systems,” the company said.
“The attacks have not affected people safety. Hydro’s main priority now is to limit the effects of the attack and to ensure continued people safety. We have established dialogue with all relevant authorities. Hydro has established Facebook as our main external communication channel. We will give updates as soon as possible,” it added.
The cyber attack took place within hours after the Norsk Hydro appointed Hilde Merete Aasheim as its new President and CEO after former CEO Svein Richard Brandtzæg stepped down after leading the company for over ten years. Prior to being appointed as President & CEO, Aasheim served as executive vice president and head of Primary Metal business area at Norsk Hydro.