Aluminum producer Norsk Hydro hit by LockerGoga ransomware

A high-profile organization Norsk Hydro had to switch to manual operations after LockerGoga ransomware infected its IT infrastructure

Norsk Hydro is dealing with a serious LockerGoga ransomware attack: several plants operating manually, others shut down completely

One of the largest aluminum producers Norsk Hydro suffered a cyber attack that crippled its internal network infrastructure, as stated by a brief message on the Oslo Stock Exchange website.^[1] The company reached out to the investors on early Tuesday morning, right after the infection was detected by IT staff in late hours of Monday evening. The industry giant had to resort to manual operations on multiple plants and even stop some of the production entirely as a precautionary measure.

Initial reports did not mention what type of cyberthreat the organization is dealing with, although later the information was updated, and it turned out the culprit was LockerGoga ransomware^[2] – file locking malware that locks 19 document file types and asks for a ransom payment in Bitcoin for the decryption service. The threat first made headlines in January 2019, when it affected France-based engineering and research company Altran Technologies.

Norsk Hydro is one of the largest aluminum manufacturers worldwide, manufacturing more than half a million tons of the element yearly, and employing over 35,000 workers in 40 countries. The manufacturer also specializes in hydropower, solar power technologies, and also stepped into oil and gas business in 2007.

NorCERT, the local cybersecurity authority unit in Norway, claimed that the event is isolated and no other organizations are currently suffering from a similar attack.

According to Norsk Hydro, the situation is “quite severe”

Norsk Hydro said on the Facebook post that the attack “impacted operations in several of the company's business areas globally” and the “IT systems in most business areas are impacted and Hydro is switching to manual operations where possible.” Nevertheless, the organization also noted that the power plants are running normally and people safety was not affected in any way.

In response to the attack, Norsk Hydro immediately contacted the Norwegian National Security Authority (NSM) and external cybersecurity parties in order to deal with the situation. Additionally, employees were notified by the notes posted at the entrance of the headquarters, which stated that they should not be using their computers to log in onto the company's networks.

According to statements made by the company on Tuesday afternoon in the 18-minute press conference,^[3] the situation is “quite severe”:

Let me be clear! The situation for Hydro through this is quite severe. The entire worldwide network is down, affecting our production and our office operations. There is a lack of ability to connect to production systems, causing some production challenges and temporary stoppages at several plants

While the company now focuses on restoring its systems from backups, the impact of the LockerGoga ransomware infection is still not clear yet, as the investigation is still in its early stages:^[4]

Hydro still does not have the full overview of the timeline toward normal operations, and it is still (too) early to estimate the exact operational and financial impact

Nevertheless, due to the attack, the aluminum prices went up to a three-months record-high, and the company's stock price went down by 3.4%, and now slowly recovering.^[5]

Ransomware is becoming a huge problem to high-profile organizations

Initially, ransomware authors mainly focused on regular users, encrypting their personal files and demanding ransom payments in Bitcoin or another cryptocurrency. While this model can be successful, most of the prolific threats of such kind decided to go for “Big game hunting” – malware authors are now focusing on large-scale organizations instead, asking more substantial sums for the decryption tool. Best examples of such practices are KeyPass, Ryuk, SamSam and, most recently, GandCrab.

The question still remains: how can these big organizations fail to protect their systems from these attacks? Ransomware infections can result in millions in damages, compromised corporate or client information, stock price fall, the decline in reputation, etc.

While companies do employ cybersecurity measures and invest into it – it does not seem like it is enough, because continual breaches keep happening. The organizations need not only focus on improving the infrastructure but also invest in educating the staff and using extra security measures, like data encryption or two-factor authentication logins within the internal networks.

Synopsis security firm's Senior Technical Evangelist Tim Mackey showed concerns about the cyber attack at Norsk Hydro:^[6]

Minimally, this attack provides a lesson in the value of both network segmentation and ensuring that threat models are created, assuming the threat comes from an internal source. With increasingly sophisticated attacks, organizations must assume attackers could compromise internal systems as easily as they might attempt to breach a firewall into a production system