One of the world’s largest aluminum producers, Norsk Hydro, continues to restore operations but is not yet back to normal after it was hit by a ransomware cyber attack.
After the Monday attack, the company had to shut several plants that transform aluminum ingots into components for car makers, builders and other industries, while its smelters in Norway were largely operating on a manual basis.
“Hydro still does not have the full overview of the timeline toward normal operations, and it is still (too) early to estimate the exact operational and financial impact,” the company said in a statement.
But Hydro said its technical team, with external support, had detected the root cause of the problems and was working to restart the company’s IT systems.
“Progress has been made, with the expectation to restart certain systems during Wednesday, which would allow for continued deliveries to customers,” Hydro said of its Extruded Solutions unit as well as of Rolled Products.
The two divisions are key to the company’s downstream operation, serving a range of industries, as well as metal sheets used for packaging, transport and construction.
The Norwegian National Security Authority (NSM), the state agency in charge of cybersecurity, said the attack used a virus known as LockerGoga, a relatively new strain of ransomware, which encrypts computer files and demands payment to unlock them.
“LockerGoga is a new ransomware variant that appears to be targeting European companies,” said Tyler Moffitt, security analyst at Webroot. “So far, the notable victims have been Altran in France on Jan. 25 and Norsk Hydro in Norway in the past 24 hours. The encryption process used by LockerGoga is slow because it creates a new process each time it encrypts a new file and also exhibits no detection evasion techniques, showing a lack of sophistication. LockerGoga was signed using a valid Digital Certificate which has since been revoked.”
“LockerGoga maybe a relatively new strain of ransomware, but it’s behaviors are similar to others we’ve seen in the wild,” said Casey Ellis, CTO and founder of Bugcrowd. “LockerGoga uses network vulnerabilities to spread through ICS shops still running mostly on Windows XP and Windows 7. Because of their dependence on legacy operating systems and configurations, ICS/OT systems are especially vulnerable to this type of attack and should take more preventative measures to protect themselves. It will be interesting to hear if this was a targeted attack, or if Norsk Hydro was simply caught up in the proliferation of ransomware across the Internet. The fact that they closed so many geographically separate operations suggests that the malware spread rapidly once it was inside their networks. Thankfully, Hydro has cyber insurance and data backups or else this might have been a very expensive mess to clean up.”
Hydro said Tuesday it did not plan to pay the hackers to restore files and would instead seek to restore its systems from backup servers.
“Manufacturing companies are an obvious target for ransomware because downtime is measured in millions of dollars per day — so as you might expect, CEOs are eager to pay,” said Phil Neray, vice president of Industrial Cybersecurity at CyberX, a Boston-based IIoT & ICS security firm. “Plus the security of industrial networks has been neglected for years, so malware spreads quickly from infected employee computers in a single office to manufacturing plants in all other countries. These attacks are especially serious for metal or chemical manufacturers because of the risk of serious safety and environmental incidents, and the bottom-line impact from spoilage of in-process materials and clean-up costs.”
There were no signs of similar attacks on other Norwegian companies or public institutions, according to NorCERT, a unit of the NSM handling cyber attacks.
“It’s an isolated event,” NorCERT head Haakon Bergsjoe sad in a Reuters report.
The attack began in the United States on Monday evening and escalated into Tuesday, hitting IT systems across most of the company’s activities and forcing staff to issue updates via social media.
The company also posted notes at the entrance to its headquarters, instructing employees not to log their computers onto its networks.