Norsk Hydro estimates $40m loss so far, but the company’s cyber incident response was praised by experts.
In the early hours of March 19th 2019, giant aluminium producer Norsk Hydro confirmed it had been hit by a cyber attack. “The company was forced to isolate all plants across the U.S. and Europe to stop the spread of the malware”, said Hydro in a statement issued from its headquarters in Oslo as soon as the incident had been identified, in agreement with the disclosure requirements of the Norwegian Securities Trading Act.
“The company is working to contain and neutralise the attack, but does not yet know the full extent of the situation,” said the company’s CFO and leader of the corporate emergency team, Eivind Kallevik, who added that Hydro is now “dependent on extraordinary measures to run many of our operations.” ‘Extraordinary measures’ which include switching the company’s giant smelters in Norway to manual procedures, with more staff being drafted to carry out manual work as those “used in the past,” explained Kallevik.
Although Hydro did not provide technical details of the attack, the Norwegian National Security Authority (NSM) identified the ransomware as LockerGoga – a malicious software able to encrypt 19 common file types (including those with extensions such as .doc, .dot, .docx, .xlm, .ppt, .pps, and .pdf.) with the extension .locked, according to Nozomi Networks.
After the encryption phase, LockerGoga allegedly dropped a file called README-NOW.txt inside Hydro’s filesystem informing recipients that only hackers who made the malware can decrypt their data. “You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. We exclusively have decryption software for your situation,” reads the message, adding that a payment in Bitcoin is expected in exchange for the decryption and that “the final price depends on how fast you contact us.”
Kallevik declared that Hydro didn’t intend to pay the ransom. Instead, their plan is to return to normal operations by cleaning the systems and restoring their data from backups.
A week after the attack, Hydro has entered its recovery phase with most operations running at normal capacity, many locations continuing to use manual operations, and general production at 70-80%, according to the company’s latest update. However, the Building Systems business unit operations remain behind, producing at around 20% capacity.
Norsk Hydro also stated that it is premature to give any precise overview of the monetary loss the attack has caused at this point. However, based on a high-level evaluation, Hydro estimates the financial impact for the first full week following the attack to be around NOK 300-350 million ($35-41 million).
Norsk Hydro’s response and efforts to keep employees, authorities and press informed about the incident and its recovery process have been praised by cyber security and data experts.
Bob Rudis, Chief Data Scientist at Rapid7 said Hydro should be commended for how quickly their status update pages were set up and for their willingness to provide incremental information on the nature and scope of the attack. He also noted that the ability to move to manual operations and resort to a full backup “is an indication that the internal planning and obvious partnership between business process owners and those in charge of information technology and information security is at a very high maturity level.”
Justin Warner, Director of Applied Threat Research at network monitoring vendor Gigamon said that “transparency and engagement are always appreciated because, fundamentally, we see a lot of the same threats and activity. Sharing and engaging the public can help prevent activity like this from having a similar large-scale impact in the future.”
Because the incident is still under police investigation, Hydro hasn’t been able to disclose any further information to the press, but has so far been posting daily updates on their website.
#
Written by Paula Magal for CS4CA Europe – the annual platform for critical infrastructure security leaders to collaborate in strengthening the cyber security of their IT and OT environments. Subscribe to our free newsletters to stay up to date about 2019’s summit (London, 1st-2ndOctober 2019) and for more relevant cyber security content.
