Sign up for our newsletter
Technology / Cybersecurity

Norsk Hydro Attack Contained, New Website Live, Samples Analysed

Two days after first announcing a crippling cyber attack, major metals producer Norsk Hydro has launched a new website, says it has succeeded in “detecting the root cause” of the problems and is currently working to restart the company’s IT systems.

The majority of production systems continue to work, albeit using manual overrides. More heavily digitalised production systems, for example for its extruded (uniquely shaped) products remain subject to production challenges and temporary stoppage at several plants, Norsk said; it is clear things could have been much worse.

“I’m pleased to see that we are making progress, and I’m impressed to see how colleagues worldwide are working around the clock with dedication to resolve this demanding situation and ensure safe and sound operations,” CFO Eivind Kallevik said.

“I would also like to complement our external technical partners who have done an important job in supporting our efforts, and also relevant authorities, who handle the issue with the diligence it deserves,” Kallevik says.

White papers from our partners

Hydro still does not have the full overview of the timeline towards normal operations, and it is still to early to estimate the exact operational and financial impact, it added. (The company, which is the world’s third largest aluminium supplier, generated £48 million in revenues in Q4.)

Norsk Hydro Update: Ransomware not ICS-Specific

norsk hydro update

Nozomi Network Labs, which has conducted analysis on the LockerGoga ransomware used in the attack, said: “The malware is not able to spread itself to other targets. Considering the fact that the attackers were not interested in adding custom and complex capabilities (C&C, DNS beaconing, etc.) we can assume the scope was merely disruptive and did not have an espionage intent.”

In an updated post the cybersecurity company said it has now obtained four different LockerGoga samples that indicate “the ransomware is under active development”.

Nozomi said: “After execution, the malware moves itself to the directory %TEMP% in order to cover the malicious activity. “

“The samples are not obfuscated and do not implement any anti-analysis techniques. All the samples run independently, without the need to connect to outside servers. These aspects indicate that LockerGoga is a classic ransomware malware. There is no functionality targeted at ICS specific devices or protocols, despite some of Norsk Hydro’s production being affected.”

The company added: “Currently, the only known way to remove LockerGoga from your system is to restore from backup.”
This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.