View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Norsk Hydro Attack Contained, New Website Live, Samples Analysed

"The malware is not able to spread itself to other targets"

By CBR Staff Writer

Two days after first announcing a crippling cyber attack, major metals producer Norsk Hydro has launched a new website, says it has succeeded in “detecting the root cause” of the problems and is currently working to restart the company’s IT systems.

The majority of production systems continue to work, albeit using manual overrides. More heavily digitalised production systems, for example for its extruded (uniquely shaped) products remain subject to production challenges and temporary stoppage at several plants, Norsk said; it is clear things could have been much worse.

“I’m pleased to see that we are making progress, and I’m impressed to see how colleagues worldwide are working around the clock with dedication to resolve this demanding situation and ensure safe and sound operations,” CFO Eivind Kallevik said.

“I would also like to complement our external technical partners who have done an important job in supporting our efforts, and also relevant authorities, who handle the issue with the diligence it deserves,” Kallevik says.

Hydro still does not have the full overview of the timeline towards normal operations, and it is still to early to estimate the exact operational and financial impact, it added. (The company, which is the world’s third largest aluminium supplier, generated £48 million in revenues in Q4.)

Norsk Hydro Update: Ransomware not ICS-Specific

norsk hydro update

Nozomi Network Labs, which has conducted analysis on the LockerGoga ransomware used in the attack, said: “The malware is not able to spread itself to other targets. Considering the fact that the attackers were not interested in adding custom and complex capabilities (C&C, DNS beaconing, etc.) we can assume the scope was merely disruptive and did not have an espionage intent.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

In an updated post the cybersecurity company said it has now obtained four different LockerGoga samples that indicate “the ransomware is under active development”.

Nozomi said: “After execution, the malware moves itself to the directory %TEMP% in order to cover the malicious activity. ”

“The samples are not obfuscated and do not implement any anti-analysis techniques. All the samples run independently, without the need to connect to outside servers. These aspects indicate that LockerGoga is a classic ransomware malware. There is no functionality targeted at ICS specific devices or protocols, despite some of Norsk Hydro’s production being affected.”

The company added: “Currently, the only known way to remove LockerGoga from your system is to restore from backup.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU