Business Disruption to Norsk Hydro

On Tuesday 19th March 2019 the Norwegian multi-national metals manufacturing company Norsk Hydro suffered shutdowns of their operational facilities due to a ransomware cyber-attack. Over two weeks later, the organisation has recovered much of its operations but some parts of their business are still relying on manual operations and only 85% as effective as usual. The precise cost of this incident is yet to be released, if it ever will be, and if it ever can be calculated. Not only is there the lost business from output slowing to a halt, but there is the time and effort in replacing and restoring data, software and hardware. Not to mention the time and effort in performing the investigation at different levels of the business, and externally through the Norwegian police and intelligence services. The cost will be phenomenal and is ongoing.

A similar cyber-attack on the Danish international shipping company Maersk in 2017, cost them around $300m (USD).

The attack was a typical ransomware attack, encrypting files and suggesting that the files will be released upon payment in the bitcoin cryptocurrency.

What happens during the attack?

This particular attack is said to be using the LockerGoga ransomware. Other companies have received similar attacks using LockerGoga, including the US-based chemical manufacturers Hexion and Momentive. The attack seems to begin with finding out user credentials, perhaps through exploitation of staff such as through phishing attacks, or perhaps using default credentials. The LockerGoga program is then installed, locking files and generally causing havoc. Finally, the attackers use software such as Metasploit to find vulnerabilities on the network moving the ransomware from one machine to the next, they also seem to use tools such as Mimikatz which try to discover passwords on a system.

Although the attack, and its approach, could apply to a variety of business and personal devices, it seems to specifically target industrial organisations in order to cause havoc or damage for the industrial business and/or for the organisations and consumers of which they are suppliers. In the eyes of a hacker, an industrial system would be an easy target with older technologies which rarely get updated being connected to newer more efficient remotely-monitorable internet-connected devices (as in Industry 4.0 or the Industrial Internet of Things) combined with a strong link into business operations or societal supply, means an easy to penetrate target with a maximum effect. It would be like setting a fire in a thirsty forest, easy to do, maximum damage.

Lessons Learned

Industrial organisations, such as critical infrastructure and manufacturers should take this as a lesson. Look at what they have, and prepare for such cyber-attacks because these kinds of cyber-attacks are on the rise and are becoming much more complicated. At Awen Collective we help industrial organisations to understand their operational assets, to eliminate vulnerabilities and to prepare to respond to cyber and cyber-physical incidents. Contact us today to see how we might be able to collaborate to improve aspects of cyber-security, incident response and digital forensics in industrial organisations - you can do so by emailing: hello@awencollective.com

UPDATE - 12/04/2019

Norsk Hydro have announced that they are largely back to normal operations, apart from one section of their business which is at 85-90%. They have also delayed the release of their first quarter reporting. Their incident response technique has meant that their 35,000 staff across 40 countries have been required to perform extra efforts to resolve the cyber-attack issues. This cost of this cyber-attack will not have been insignificant.