At about midnight on Monday one of the world’s largest aluminium producers – with smelting plants, factories and offices in 40 countries – noticed irregularities in its systems. Hours later, Norway-based Norsk Hydro confirmed it was suffering production stoppages in Europe and the US as it battled a major ransomware attack, forcing the company to switch to manual operations while it attempted to contain the issue.
By Wednesday afternoon, relative calm had settled on the shoulders of Norsk Hydro’s top executives as the company continued the painstaking task of bringing some of its systems back online.
Eivind Kallevik, Hydro’s chief financial officer, said during a press conference that the firm, which has 35,000 employees globally, had “no fixed timeline” for when all of its systems would be up and running. But crucially, no ransom had been paid to the criminals behind the attack – likely because Norsk Hydro was able to begin immediately restoring software and company data from its recent backups. So what happened?
A police investigation in Norway is now underway, and – despite the company’s fairly candid statements in which is has confirmed that “good and strong cyber insurance is in place” – it cannot go into specifics about the attack.
However, cybersecurity experts have been watching developments closely, not least because of the type of business that was targeted. “Initially it looked really bad because of the industry these guys are in,” says Mikko Hypponen, the chief research officer at the Finnish cyber security firm F-Secure. Had disruption hit aluminium production, he adds, the metal could have solidified, causing operations to grind to a halt.
Norsk Hydro has said its bauxite and alumina production was running as normal despite the disruption from the ransomware attack. Other parts of its business, though, such as primary metal and rolled products, have been subjected to stoppages and a “limited operational impact” at a number of undisclosed plants, after its entire worldwide network went down.
“It is now quite clear that the worst scenario isn’t here,” says Hypponen. “It’s going to be expensive, it’s going to take some time, but it is not as bad as it initially looked.”
It has been widely speculated – although not confirmed by Norsk Hydro – that the ransomware used in the highly targeted attack was a relatively new and difficult-to-detect strain, dubbed LockerGoga, which criminals use to quickly encrypt computer files, before demanding payment to unlock them.
Robert Pritchard, a cybersecurity expert, says that LockerGoga does not self-propagate. It means somebody compromised Norsk Hydro's network, uploaded the ransomware, and then deployed it across its network. “This won’t go beyond the [company’s Microsoft Windows] Active Directory essentially because someone needs to use Group Policy to push it out. So it won’t propagate wildly, it is a bit more restrained than that,” he says.
The ransomware is different to the previous industrial cyberattacks such as WannaCry and Petya, explains Hypponen, because criminals are targeting company networks and syncronising encryption across their geographical regions. “There is no replication mechanism, this is not a worm, it is a targeted attack by the criminals,” he says.
The motivation appears to be straightforward. “There is no way to connect the dots to make this look like a governmental attack at all, it’s criminal, it’s about money,” he adds.
The malware, researchers say, was also used in an attack on the French engineering consultancy firm Altran Technologies earlier this year.
Hypponen believes that as the infection is thought to have originated in the US, the smelter has a strong case for insurance claim given the apparently clear criminal intent. “It might end up being the most expensive cyber insurance payment to date,” he says.
Ransomware attacks are big business, says Pritchard, and “a super common thing that happens all the time.” Previously, they were mostly aimed at individuals but it now makes sense for criminal gangs to go after bigger fish.
“Even though Norsk Hydro got its industrial control systems running in manual mode, like everything when you take away all the automated processes you have been used to and all the back office functions, suddenly things are a lot slower to process,” says Pritchard.
The attack shows how just attacking a Windows infrastructure – which is pretty simple to do and lots of people have the skills to do – can cause a lot of disruption, he adds. “It’s not going to cost lives, it’s not going to crash aircraft and things can actually keep operating to some degree as normal, but it’s slower and costs money and takes time to resolve.”
This article was originally published by WIRED UK
