Norsk Hydro

Norsk Hydro Hit with ‘Severe’ LockerGoga Ransomware Attack

Global aluminum manufacturer Norsk Hydro was hit with an alleged ransomware attack Tuesday. The attack is having a major impact on the company’s global business and production.


Global aluminum manufacturer and renewable-energy provider Norsk Hydro was hit with an alleged LockerGoga ransomware attack in the wee hours of Tuesday morning that knocked its worldwide IT system and website offline and continues to have a major impact on the company’s global business and production.

System administrators first noticed the “serious cyber attack” at midnight Central European Time Tuesday. It affected IT systems across Norsk Hydro’s businesses, said CFO Eivind Kallevik in a press conference about the attack Tuesday. It forced the company to isolate each of its separate facilities and switch to primarily manual operations to keep production up and running in plants globally, he said.

A Severe Attack

Calling the situation “severe,” Kallevik said the company’s priority now is to eliminate all traces of the attack and to restore data from back-up systems to mitigate damage so that business and production can continue without interruption or a major effect on customers.

Norsk Hydro
Norsk Hydro aluminum manufacturing. The company’s operations were impacted by a ransomware outbreak.

“As the attack was spreading throughout our business we did take measures to contain and neutralize [it],” Kallevik said. “We have isolated all our plants and operations and are switching to manual operations and procedures. The most critical point for us at the moment is to find a cure so we can … find any servers that are attacked by the virus and clean them out to get operations back to normal.”

Report: Major attack on critical infrastructure expected due to increased risk from IoT

He said so far the attack has not caused any safety-related incidents and that production is “running normally” in power and manufacturing plants, adding that currently customers should not see a delay or fluctuation in service. “As of today those losses are minimal,” Kallevik said.

However, he would not speculate on the time it would take to stop the attack and have its global network online and running according to normal operations, nor if future customer orders or interaction would be affected.

Norsk Hydro currently is working with the Norwegian National Security Authority and other internal and external experts to neutralize the attack. The company had been keeping the public up to date on the attack on its Facebook page, though that page was inaccessible late Tuesday.

LockerGoGa strikes again?

Officials at the press conference did not confirm the ransomware seen on the network is indeed a LockerGoga* attack, but said that is one potential cause being investigated. However, the Norwegian National Cybersecurity Center (NorCERT) released an alert warning of a LockerGoga attack and citing Norsk Hydro was a victim, according to Norwegian news outlet NRK.

LockerGoga is a known but fairly new ransomware that is believed to be behind a major cyber attack in January on French engineering consultancy Altran Technologies.

Criminals, Not State Actors, Target Russian Oil Company in 3-Year Cyber Attack

Barak Perelman, CEO of Indegy, which specializes in cybersecurity for critical infrastructure and manufacturing companies, believes the Norsk Hydro attack was not a targeted attack; rather, it was collateral damage resulting from a lack of proper cybersecurity for legacy systems.

Manufacturers and other critical-infrastructure companies “took facilities that have an infrastructure from a decade or two decades ago…and connected them to each other and the enterprise network and to the Internet,” he told Security Ledger. “And they did so without upgrading the security infrastructure inside the facilities. This is what is causing problems.”

Indeed, a recent report found that industrial control systems have a number of critical flaws that make them easy targets for hackers because they were designed at a time when cybersecurity wasn’t a worry.

This is one reason that there has been a “surge in destructive attacks” on industrial control networks such as those at global manufacturers last several years, among others, said Tom Kellermann, chief cybersecurity officer at cloud-based endpoint security firm Carbon Black.

Perelman of Indegy also cited increased connectivity on the part of utilities and critical-systems providers–which historically have isolated networks and internal systems–as one reason attacks on them are more prevalent.

Destructive Shamoon Malware Attacks Italian Oil Services Firm

“As these once air-gapped industries connect to the Internet and adopt industrial IoT, they dramatically increase their attack surface,” he said.

Perelman said that there are two ways to remedy a ransomware attack–pay the ransom, which most companies choose not to do, or recover data from back-up systems, which Kallevik said Norsk Hydro plans to do.

However, the company may run into problems when trying to recover data for its individual manufacturing plants, Perelman said. This is because many of these types of companies typically don’t have regularly backed-up configurations for these facilities, he said.

Attacks with Global Impact

In addition to being one of the world’s biggest suppliers of aluminum as well as alumina–a raw material used to make the metal–Oslo-based Norsk Hydro also provides energy, including hydropower and solar power, in Norway and through partnerships worldwide.

The company currently has operations in 50 countries, with major presences at home and in countries such as Germany and Brazil. In the latter country’s Para state, the Norsk Hydro Alunorte alumina refinery came under fire last year when it admitted to releasing untreated water into the environment during severe rains. Norsk Hydro also has more employees in the United States than any other Norwegian company.

Tuesday’s attack on the company had a ripple effect on global markets, boosting the price of aluminum–which had been flagging–on the commodities market.

This proves that the impact of these large cyber attacks are beginning to extend even beyond a company and its customers to the global market and beyond, said Tod Beardsley, research director at visibility, analytics and automation security firm Rapid7.

“This is the first time I can recall a cyber attack impacting the spot price of a global commodity like aluminum,” he said. “That alone is pretty significant, since it reminds us that cyber-exposure can have a real, direct effect on industries that aren’t normally thought of as ‘high tech’ industries.”

Beardsley said the attack should serve as a reminder that all businesses and organizations–no matter their industry, vertical or size–need to consider IT security on a grander scale and step up their game to protect their networks in an increasingly interconnected world.

(*) Correction: an earlier version of this story misspelled the name of the LockerGoga malware. The story has been corrected. – PFR March 20, 2019

One Comment

  1. Thank you for sharing such a nice and wonderful blog post.