View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
March 19, 2019updated 20 Mar 2019 3:08pm

Norsk Hydro Ransomware Attack: What We Know

Company forced to resort to Facebook for updates

By CBR Staff Writer

A ransomware attack has crippled IT systems at Norsk Hydro, the world’s third-largest aluminium supplier. The incident has forced the Norwegian company, which employs some 35,000 staff globally, to halt production at several plants and revert to Facebook to keep customers updated.

There is “no indication” of impact on primary plants outside Norway, Norsk said however and the company has managed to keep the majority of production going by switching back to manual processes. Norwegian security officials say the attack involved the LockerGoga ransomware.

In a stock market statement the company said: “Hydro became victim of an extensive cyber-attack in the early hours of Tuesday (CET), impacting operations in several of the company’s business areas.”

Read this:  5 Things to Do Before Ransomware Strikes

“IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible. Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

In manufacturing, 86 percent of cyber attacks are targeted, according to a report by F-Secure earlier this year; Norsk is likely to have been singled out as vulnerable.

Security experts with an Operational Technology (OT) focus have long warned that industrial enterprises are typically dangerously insecure amid a proliferation of legacy devices and protocols, “undiscovered” devices sitting on networks (sometimes brought in by contractors) and stretched security teams struggling with the challenge of coordinating security patches from a multitude of different OEMs.

Norsk said energy production is running as normal meanwhile (the company is also a major energy producer), as are bauxite and aluminium production.

Primary metal production is running as normal with a “higher degree of manual operations”, as are remelters, it said.

Read this: Industrial Network Switches Rife with Vulnerabilities

Extruded Solutions and Rolled Products are unable to connect to production systems “causing production challenges and temporary stoppage at several plants.”

“Hydro is working to contain and neutralize the attack but does not yet know the full extent of the situation” it said, adding: “It is too early to indicate the operational and financial impact, as well as timing to resolve the situation.”

Critically, it may never know how the breach first occurred.

As a report [pdf] by industrial cybersecurity specialist Dragos noted early this year: “In 2017, Dragos reported the original infection vector to ICS [Industrial Control System] attacks remained unknown; in 2018, this is still the case.”

“One primary challenge for IR [incident response] on industrial networks is performing root cause analysis (RCA), partially because a common vector into the ICS network is through the associated business or IT networks.”

“An external adversary may not have knowledge about the network topology and must discover or create an access method to the ICS segments. Finding this pivot point can take time, so the adversary may exist in the IT network for several weeks or months prior to pivoting into the OT network.”

The company added: “RCA in these instances requires larger data retention and resources for investigation. RCA faces several additional challenges, as network traffic logging in ICS networks is generally not verbose, and visibility to lateral movement can be insufficient. Unfortunately, internal politics and team organization can also delay investigative efforts.”

Pete Banham, cyber resilience expert at Mimecast said in an emailed statement: “Attackers are increasingly more sophisticated, so defence-only strategies are often doomed to fail. Organisations and governments must look to proactively analyse their business critical infrastructure for weaknesses and identify gaps for improvement.”

“It is about adopting a cyber resiliency mindset that looks at new methods of prevention and a recovery plan that will help restore the business back to operation in the event of a successful attack.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.