On Norsk Hydro Cyber Attack

By   ISBuzz Team
Writer , Information Security Buzz | Mar 20, 2019 03:15 am PST

One of the world’s biggest aluminium producers, Hydro which employs more than 35,000 people in 40 countries, has switched to manual operations at its Norwegian smelting facilities following a cyber-attack. It is now confirmed that it has been hit by the LockerGoga ransomware variant and had to shut down some of its plants as a result.


Experts Comments Below: 

Tim Mackey, Senior Technical Evangelist at Synopsys: 

I sincerely hope that Norsk Hydro details the attack methods and nature of the cyberattack they are experiencing. Given they are shutting down operations at some of their plants implies those plants had control system access from the internet or from computers connected to the internet. Minimally, this attack provides a lesson in the value of both network segmentation and ensuring that threat models are created, assuming the threat comes from an internal source. With increasingly sophisticated attacks, organizations must assume attackers could compromise internal systems as easily as they might attempt to breach a firewall into a production system.

Piers Wilson, Head of Product Management at Huntsman Security:

“The attack on Norsk Hydro highlights the risks faced by all parts of national critical infrastructure and major industry – from energy to manufacturing. The attack could potentially affect resource production in Norway, Qatar and Brazil – meaning the attackers have been able to cause maximum disruption on a global scale for, potentially relatively little effort. This is a stark reminder that it doesn’t matter what your line of business is, you are still reliant on IT systems and could still be on a hackers ‘hit list’.

“We now live in an era where traditional defences – firewalls, anti-virus etc. can’t provide full coverage when faced with determined or targeted attack: there is often no easy way to block every potential threat at the perimeter or in key IT server systems, and trying to do so will just result in teams becoming overwhelmed by the sheer volume of potential attacks. Businesses need to go beyond blocking attackers; and augment this with intelligent and rapid detection, containment and mitigation. This means having first class, automated threat and security intelligence capabilities that can manage the deluge of potential problems with intelligent analytics – sorting real threats from the background noise of systems and network operation, and freeing up security analysts to deal with the issues as effectively and efficiently as possible.”

Tom Kranz, Head of Cyber Lab at 6point6:  

Having switched to manual operations, it would appear at this stage to be an IoT attack that has gone for their control equipment. Yet while we often discuss IoT attacks in terms of botnets, the cyber attack on Norsk Hydro throws into sharp relief that we do not put enough focus on the supply chain disruption that can be caused. In this case, not just aluminium smelting, but the construction of actual components for wider industry has been shut down. With the global push towards “Just in Time” manufacturing and more efficient mass-production processes, an IoT attack of this scale against a single company has the potential to have a disruptive and harmful impact to multiple industries on a worldwide scale.

Machines and devices across the Industrial Internet of Things (IIoT) network need to be treated in the same way as any other untrusted, insecure device; namely as a segregated network, with ingress and egress filtering and monitoring. There should be no direct access to the general Internet, and indirect access must use encryption with a high level of logging and monitoring to mitigate risks of cyber attack. As IIoT devices have such simple communications and data flows, configuring SIEM and TVM solutions to keep closer scrutiny on the IIoT segregated network and it’s data flows is also essential. Security must be front and centre, especially when it comes to inter-reliant industries and production lines.

Andrea Carcano, Co-founder and CPO at Nozomi Networks:

“As industrial organisations continue to modernise infrastructure and introduce internet-enabled technology into plants to improve efficiencies, security requirements are changing and must be a top priority.

While these new digital processes can offer significant benefits to industrial organisations, they also provide new opportunities for attackers, as potential entry-points into networks.

As industrial organisations automate and digitise plant floors, the security of these new processes must be forethought to reduce the risks of potential attacks.”

Adam Vincent, CEO at ThreatConnect:

“This latest attack is proof that Britain’s manufacturing industry faces a serious challenge. Manufacturing is often targeted by both opportunist and targeted hackers, looking for an easy target or a specific set of intellectual property. In 2018, for example, it was reported that nearly half of UK manufacturers were hit by a cyber security incident.

“Digital transformation is increasingly visible on the factory floor, and IP-connected robots are increasingly replacing manned and manual workflows. That means that the average facility now has countless more potential access points for cyberattacks – and a successful breach can halt production in its tracks for many hours, causing serious financial and reputational damage.

“Nevertheless, across the manufacturing sector, awareness of the cybersecurity challenge and the implementation of appropriate preventive measures are highly varied.  Manufacturers need to ensure that their cybersecurity capabilities are not just an afterthought.

“We’re firm believers in an ‘all for one, one for all’ approach towards cyber security. We need to see an increase in intelligence-sharing between businesses so they can collectively combat the common cyber-enemy. It’s essential that potential targets understand as much as they can about the threats they face. The more you know, the better you’ll be able to respond to a new threat.

“With comprehensive information-sharing and process automation in place, manufacturers can rest assured that their valuable IP and production lines are still well defended.”

Spencer Young, RVP EMEA at Imperva:

“While the source of this attack has not been identified, local media in Norway have reported that the attack is likely due to a relatively new form of ransomware known as LockerGoga.

As is the case with any ransomware attack, there is no guarantee that if you pay the ransom your data will be recovered.

Planning ahead and being prepared for attacks will make organisations much more resilient and able to cope if the worst should ever happen. However, the reality is that the odds are in the attacker’s favour, and a lot of times – like this incident, they are successful in their intrusions.

Hydro’s next steps will be critical in determining the extent of impact this attack has on the company’s databases, files and cloud applications. The company should focus primarily on identifying and quarantining impacted users, devices and systems so as to control the data breach proactively.

Having a strategy that takes into account what happens when a cyberattack occurs, whether it’s ransomware or another method, is essential to resiliency, especially in industries where information is critical and downtime can have significant global impact.

Attacks such as this one bring to light the importance of protecting your data. Organisations – no matter the size or industry – should have robust technology solutions in place that are able to sense ransomware file access and curb potential attacks before they take place, so access and downtime can be limited.”

Chris Morales, Head of Security Analytics at Vectra:

“While the situation for Norsk Hydro is severe as the entire worldwide network is down, which means the attack was able to propagate internally very quickly, I do at least commend Norsk Hydro’s incident response process.

The important thing here is that breaches happen, and for manufacturing and energy who are large adopters of industrial internet of things, ransomware has become an unfortunate problem that can easily knock a manufacturing or energy plant offline. Norsk Hydro is not the first to suffer from a ransomware attack in the energy sector. Ideally it would be good to be able to detect and respond to attacks before they cause damage, but many companies simply are not in that state of capability yet.

From a response process, it is good that Norsk Hydro executive management immediately, within 24 hours, reached out to the public and have been open about their current state. Norsk Hydro had a backup plan to keep operating using manual processes. It is also fortunate that Norsk Hydro has backups of all their data to recover to their original state once they can recover from this attack.

Granted, when they recover is the biggest factor here. With an attack this widespread impacting the entire global network, they could be down for days.”

Tim Erlin, VP at Tripwire:  

“Right now, there’s a lot of missing information on this attack. The things we don’t know outweigh the things we do know, and that generally means there will be a lot of speculation. 

After the last couple of years, no one should doubt that a cyberattack can directly impact your business. This is another reminder to spend the time and money on preparation and prevention. If you are an executive at any business, ask yourself what your organization would be doing right now if you were Hydro.” 

Oussama El-Hilali, Chief Technology Officer at Arcserve: 

“Unfortunately, ransomware attacks like the one Norsk Hydro is currently enduring are still all too common. Since the manufacturing industry needs continuous access to data to keep operations running, they’re a prime target for hackers, as these organisations are more likely to pay a ransom to get back to business-as-usual. And while most organisations have made strides in stepping up their cybersecurity defenses, they can’t possibly stop every hacker from infiltrating their networks. That’s why it’s equally, if not more important, to make sure your data backup and recovery plans are just as solid as your threat identification protocols. Only time will tell if Hydro’s backups are solid enough to fully restore all their systems, but right now, its looks like their backup servers might be their saving grace.” 

Chris Doman, Security Researcher at AT&T Cybersecurity: 

“NOR-CERT is publicly reporting the malware responsible is LockerGaga, which was recently in the news for an attack against an Engineering firm. The description of the attack from NOR-CERT so far sounds like the attackers manually deployed the malware after gaining access to the networks. The take-down of a number of different geographic locations is reminiscent of the kind of damage seen in incidents like NotPetya.” .



Nozomi Networks Labs’ Analysis of LockerGoga Ransomware:

Following the news, Nozomi Networks Labs has carried out an analysis into the LockerGoga ransomware, which explains how the malware works and how victims can tell they are infected.

What is LockerGoga?  

LockerGoga is a ransomware able to encrypt files having any of the specific extension listed below: 

doc, dot, wbk, docx, dotxdocbxlm, xlsx, xltxxlsbxlw, ppt, pot, pps, pptx, potxppsxsldx, pdf 

The extension types are an indicator that the main goal of the threat actor is to encrypt files containing important data for the users. In fact, at the end of the encryption phrase a file called README-NOW.txt is dropped inside the filesystem containing the following message: 

  • Greetings! 
  • There was a significant flaw in the security system of your company. 
  • You should be thankful that the flaw was exploited by serious people and not some rookies. 
  • They would have damaged all of your data by mistake or for fun. 
  • Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. 
  • Without our special decoder it is impossible to restore the data.  
  • Attempts to restore your data with third party software as PhotorecRannohDecryptor etc. 
  • will lead to irreversible destruction of your data. 
  • To confirm our honest intentions. 
  • Send us 2-3 different random files and you will get them decrypted. 
  • It can be from different computers on your network to be sure that our decoder decrypts everything. 
  • Sample files we unlock for free (files should not be related to any kind of backups). 
  • We exclusively have decryption software for your situation 
  • DO NOT RESET OR SHUTDOWN – files may be damaged. 
  • DO NOT RENAME the encrypted files. 
  • DO NOT MOVE the encrypted files. 
  • This may lead to the impossibility of recovery of the certain files. 
  • To get information on the price of the decoder contact us at: 
  • AbbsChevis@protonmail.com 
  • IjuqodiSunovib98@o2.pl 
  • The payment has to be made in Bitcoins. 
  • The final price depends on how fast you contact us. 
  • As soon as we receive the payment you will get the decryption tool and 
  • instructions on how to improve your systems security 

The message states that in order to have the files back, the user is forced to pay a ransom using Bitcoin cryptocurrency. 

How does it Work? 

The malware encrypts the files with the targeted extension and soon after drop the ransom note inside the filesystem, providing the user with the steps  he/she must take in order to get the files back. It follows the classic approach present in most ransomware malware. 

The malware is not able to spread itself to other targets. It seems to implement some anti-analysis techniques in order to hide itself from analysts; for example, it seems to detect the presence of a Virtual Machine and have the capability to delete itself from the filesystem trying to avoid the sample collection. 

Considering the fact that the attackers were not interested in adding custom and complex capabilities (C&C, DNS beaconing, etc.) we can assume the scope was merely disruptive and did not have an espionage intent. 

Some researches suggested (Nozomi Networks Labs has not confirmed) that the attackers could have used Active Directory as a mechanism for spreading the malware: [possible scenario] an attacker that was already able to infect a targeted system registered in the Domain Admin Group could have placed the malicious executable in the Netlogon directory so that could be automatically propagated to every Domain Controller (lots of firewalls accept by default Active Directory) —NorCERT confirmed this. 

How do you know if you’re infected with it? 

The targeted files will be encrypted and the extension .locked will be appended at the end of the filenames. 

Other notes 

This particular incident (with Hydro) is a great lesson from an incident response prospective, they made a live stream with a brief on the attack and they’re keeping all informed using their Facebook channel  

Please note: Some of the technical info reported above has been extracted doing Nozomi Networks Labs preliminary analysis of the sample with the SHA256: 


Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Kyle Gaertner
Kyle Gaertner , Manager of Security and Compliance Operations
June 18, 2021 11:44 am

<p>An attacker can just as easily knock on the door. I recall an onsite social engineering I did during the middle of the pandemic where I posed as a fire extinguisher inspector. I looked the part with steel toe boots, blue jeans, a work shirt I had custom made that matched their vendor, and a clipboard. The location I visited would typically have close to 100 people during the workday, but due to the pandemic, they adopted a work from home policy and there were probably only five people when I visited. I rang the bell at the front door several times before an employee just popped the door open. I did not even have the chance to give him my cover story before he went back to his desk located near the rear of the office. He was more irritated that his work was interrupted than he was concerned of verifying a vendor he let into the building. Sometimes it is just that easy!</p><p><br /><br />Once an attacker has access to a location, there are plenty of options. They could do something as simple as steal equipment which may have sensitive information on it or do something more malicious that could allow persistent access to the network. For persistent access, they could locate a live network jack and connect a device that calls back to an attacker controlled IP. The attacker could then use this as their foothold within the network. An attacker could also connect a wireless device to the network and as long as they were within a reasonable distance, they could just connect over Wi-Fi. These are just two examples of devices being used but there are numerous other methods. An attacker could just clear the password for the local administrator if workstation hard drives are not encrypted. The attacker would then just log in to the host to begin an attack or load up a beacon that would connect back to their Command and Control (C2) server. This may sound unrealistic but on some of the engagements I have been on, entire floors were devoid of employees, and I was able to work at a relatively calm pace. Before the pandemic I was typically rushed and would have to locate an empty workspace before I could begin. Due to social distancing recommendations, you are typically given a wide berth with what few people are at a location. This also gives an attacker more time to rummage through desks to find sensitive information such as passwords or PII.</p><p><br /><br />These are only a handful of scenarios that could play out which is why it is important to remember security is about defense in depth. Small steps to increase your security posture will pay off over time and help prevent your organization from ending up in the news.</p>

Last edited 2 years ago by Kyle Gaertner

Recent Posts

Would love your thoughts, please comment.x