One of the world’s biggest aluminium producers, Hydro which employs more than 35,000 people in 40 countries, has switched to manual operations at its Norwegian smelting facilities following a cyber-attack. It is now confirmed that it has been hit by the LockerGoga ransomware variant and had to shut down some of its plants as a result.
Hydro is currently under cyber-attack. Updates regarding the situation will be posted on Facebook: https://t.co/2S94rp3qll
— Norsk Hydro (@NorskHydroASA) March 19, 2019
Experts Comments Below:
Tim Mackey, Senior Technical Evangelist at Synopsys:
Piers Wilson, Head of Product Management at Huntsman Security:
“We now live in an era where traditional defences – firewalls, anti-virus etc. can’t provide full coverage when faced with determined or targeted attack: there is often no easy way to block every potential threat at the perimeter or in key IT server systems, and trying to do so will just result in teams becoming overwhelmed by the sheer volume of potential attacks. Businesses need to go beyond blocking attackers; and augment this with intelligent and rapid detection, containment and mitigation. This means having first class, automated threat and security intelligence capabilities that can manage the deluge of potential problems with intelligent analytics – sorting real threats from the background noise of systems and network operation, and freeing up security analysts to deal with the issues as effectively and efficiently as possible.”
Tom Kranz, Head of Cyber Lab at 6point6:
Machines and devices across the Industrial Internet of Things (IIoT) network need to be treated in the same way as any other untrusted, insecure device; namely as a segregated network, with ingress and egress filtering and monitoring. There should be no direct access to the general Internet, and indirect access must use encryption with a high level of logging and monitoring to mitigate risks of cyber attack. As IIoT devices have such simple communications and data flows, configuring SIEM and TVM solutions to keep closer scrutiny on the IIoT segregated network and it’s data flows is also essential. Security must be front and centre, especially when it comes to inter-reliant industries and production lines.
Andrea Carcano, Co-founder and CPO at Nozomi Networks:
While these new digital processes can offer significant benefits to industrial organisations, they also provide new opportunities for attackers, as potential entry-points into networks.
As industrial organisations automate and digitise plant floors, the security of these new processes must be forethought to reduce the risks of potential attacks.”
Adam Vincent, CEO at ThreatConnect:
“Digital transformation is increasingly visible on the factory floor, and IP-connected robots are increasingly replacing manned and manual workflows. That means that the average facility now has countless more potential access points for cyberattacks – and a successful breach can halt production in its tracks for many hours, causing serious financial and reputational damage.
“Nevertheless, across the manufacturing sector, awareness of the cybersecurity challenge and the implementation of appropriate preventive measures are highly varied. Manufacturers need to ensure that their cybersecurity capabilities are not just an afterthought.
“We’re firm believers in an ‘all for one, one for all’ approach towards cyber security. We need to see an increase in intelligence-sharing between businesses so they can collectively combat the common cyber-enemy. It’s essential that potential targets understand as much as they can about the threats they face. The more you know, the better you’ll be able to respond to a new threat.
“With comprehensive information-sharing and process automation in place, manufacturers can rest assured that their valuable IP and production lines are still well defended.”
Spencer Young, RVP EMEA at Imperva:
As is the case with any ransomware attack, there is no guarantee that if you pay the ransom your data will be recovered.
Planning ahead and being prepared for attacks will make organisations much more resilient and able to cope if the worst should ever happen. However, the reality is that the odds are in the attacker’s favour, and a lot of times – like this incident, they are successful in their intrusions.
Hydro’s next steps will be critical in determining the extent of impact this attack has on the company’s databases, files and cloud applications. The company should focus primarily on identifying and quarantining impacted users, devices and systems so as to control the data breach proactively.
Having a strategy that takes into account what happens when a cyberattack occurs, whether it’s ransomware or another method, is essential to resiliency, especially in industries where information is critical and downtime can have significant global impact.
Attacks such as this one bring to light the importance of protecting your data. Organisations – no matter the size or industry – should have robust technology solutions in place that are able to sense ransomware file access and curb potential attacks before they take place, so access and downtime can be limited.”
Chris Morales, Head of Security Analytics at Vectra:
The important thing here is that breaches happen, and for manufacturing and energy who are large adopters of industrial internet of things, ransomware has become an unfortunate problem that can easily knock a manufacturing or energy plant offline. Norsk Hydro is not the first to suffer from a ransomware attack in the energy sector. Ideally it would be good to be able to detect and respond to attacks before they cause damage, but many companies simply are not in that state of capability yet.
From a response process, it is good that Norsk Hydro executive management immediately, within 24 hours, reached out to the public and have been open about their current state. Norsk Hydro had a backup plan to keep operating using manual processes. It is also fortunate that Norsk Hydro has backups of all their data to recover to their original state once they can recover from this attack.
Granted, when they recover is the biggest factor here. With an attack this widespread impacting the entire global network, they could be down for days.”
Tim Erlin, VP at Tripwire:
After the last couple of years, no one should doubt that a cyberattack can directly impact your business. This is another reminder to spend the time and money on preparation and prevention. If you are an executive at any business, ask yourself what your organization would be doing right now if you were Hydro.”
Oussama El-Hilali, Chief Technology Officer at Arcserve:
Chris Doman, Security Researcher at AT&T Cybersecurity:
Nozomi Networks Labs’ Analysis of LockerGoga Ransomware:
Following the news, Nozomi Networks Labs has carried out an analysis into the LockerGoga ransomware, which explains how the malware works and how victims can tell they are infected.
What is LockerGoga?
LockerGoga is a ransomware able to encrypt files having any of the specific extension listed below:
doc, dot, wbk, docx, dotx, docb, xlm, xlsx, xltx, xlsb, xlw, ppt, pot, pps, pptx, potx, ppsx, sldx, pdf
The extension types are an indicator that the main goal of the threat actor is to encrypt files containing important data for the users. In fact, at the end of the encryption phrase a file called README-NOW.txt is dropped inside the filesystem containing the following message:
- Greetings!
- There was a significant flaw in the security system of your company.
- You should be thankful that the flaw was exploited by serious people and not some rookies.
- They would have damaged all of your data by mistake or for fun.
- Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.
- Without our special decoder it is impossible to restore the data.
- Attempts to restore your data with third party software as Photorec, RannohDecryptor etc.
- will lead to irreversible destruction of your data.
- To confirm our honest intentions.
- Send us 2-3 different random files and you will get them decrypted.
- It can be from different computers on your network to be sure that our decoder decrypts everything.
- Sample files we unlock for free (files should not be related to any kind of backups).
- We exclusively have decryption software for your situation
- DO NOT RESET OR SHUTDOWN – files may be damaged.
- DO NOT RENAME the encrypted files.
- DO NOT MOVE the encrypted files.
- This may lead to the impossibility of recovery of the certain files.
- To get information on the price of the decoder contact us at:
- AbbsChevis@protonmail.com
- IjuqodiSunovib98@o2.pl
- The payment has to be made in Bitcoins.
- The final price depends on how fast you contact us.
- As soon as we receive the payment you will get the decryption tool and
- instructions on how to improve your systems security
The message states that in order to have the files back, the user is forced to pay a ransom using Bitcoin cryptocurrency.
How does it Work?
The malware encrypts the files with the targeted extension and soon after drop the ransom note inside the filesystem, providing the user with the steps he/she must take in order to get the files back. It follows the classic approach present in most ransomware malware.
The malware is not able to spread itself to other targets. It seems to implement some anti-analysis techniques in order to hide itself from analysts; for example, it seems to detect the presence of a Virtual Machine and have the capability to delete itself from the filesystem trying to avoid the sample collection.
Considering the fact that the attackers were not interested in adding custom and complex capabilities (C&C, DNS beaconing, etc.) we can assume the scope was merely disruptive and did not have an espionage intent.
Some researches suggested (Nozomi Networks Labs has not confirmed) that the attackers could have used Active Directory as a mechanism for spreading the malware: [possible scenario] an attacker that was already able to infect a targeted system registered in the Domain Admin Group could have placed the malicious executable in the Netlogon directory so that could be automatically propagated to every Domain Controller (lots of firewalls accept by default Active Directory) —NorCERT confirmed this.
How do you know if you’re infected with it?
The targeted files will be encrypted and the extension .locked will be appended at the end of the filenames.
Other notes
This particular incident (with Hydro) is a great lesson from an incident response prospective, they made a live stream with a brief on the attack and they’re keeping all informed using their Facebook channel
Please note: Some of the technical info reported above has been extracted doing Nozomi Networks Labs preliminary analysis of the sample with the SHA256:
6e69548b1ae61d951452b65db15716a5ee2f9373be05011e897c61118c239a77
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.