Norsk Hydro Calls Ransomware Attack ‘Severe’ | Threatpost

Aluminum giant Norsk Hydro has fallen victim to a serious ransomware attack that has forced it to shut down or isolate several plants and send several more into manual mode, the company said on Tuesday morning.

Oslo, Norway-based Norsk Hydro, one of the world’s largest makers of aluminum, employs 35,000 people in up to 40 countries. The cyberattack, first detected by the company’s IT experts around midnight Norwegian time, has left the aluminum producer struggling to maintain operations despite shutting down some plants and going into manual mode for others.

“The situation is quite severe. The entire worldwide network is down, affecting all production as well as our office operations,” said Norsk Hydro CFO Eivind Kallevik during a press conference on Tuesday morning. “Our main priority is to ensure safe operations and limit the financial and operational impact. The incidents has not led to any safety related incidents as of today.”

Hydro is currently under cyber-attack. Updates regarding the situation will be posted on Facebook: https://t.co/2S94rp3qll

— Norsk Hydro (@NorskHydroASA) March 19, 2019

The company said that IT-systems in most business areas are impacted, including the digital systems at its smelting plants (used to produce a base metal from its ore): Norsk Hydro is switching to manual operations for its smelting plants, including several in Norway, Qatar and Brazil. The company has had to shut down several metal extrusion (a type of metal forming process) plants.

This morning, the company has isolated the plants to make sure the virus doesn’t run from one plant to the other, said Kallevik. When asked if the company plans to pay the ransom, he said “Our main strategy is to use the backup data we have in the system.” The company said it doesn’t know the identity of the hackers.

While Norsk Hydro did not specify the ransomware, several Norwegian media outlets have reported that NorCERT is linking the incident to LockerGoga ransomware.

Security expert Kevin Beaumont said on Twitter that this ransomware also hit Altran back in January. “As an attacker – if you have domain admins, put the .exe in Netlogon folder, it automatically propagates to every Domain Controller, then make a GPO to run on each PC and server at top level. Most orgs firewall accept Active Directory,” he said.

LockerGoga hit @Altran back in January. As an attacker – if you have domain admins, put the .exe in Netlogon folder, it automatically propagates to every Domain Controller, then make a GPO to run on each PC and server at top level. Most orgs firewall accept Active Directory.

— 🦀 Kevin Beaumont 🐝 (@GossiTheDog) March 19, 2019

“This is the first time I can recall a cyberattack impacting the spot price of a global commodity like aluminum,” Tod Beardsley, Research Director at Rapid7 said in a statement. “That alone is pretty significant, since it reminds us that cyber-exposure can have a real, direct effect on industries that aren’t normally thought of as ‘high tech’ industries.”

Ransomware attacks have proven to be a costly and reputation crushing form of attack.  Last year, a “critical water utility” was targeted in a ransomware attack, significantly impeding its ability to provide service in the week after Hurricane Florence hit the East Coast of the U.S.

“Minimally, this attack provides a lesson in the value of both network segmentation and ensuring that threat models are created, assuming the threat comes from an internal source,” said Tim Mackey, Senior Technical Evangelist at Synopsys. “With increasingly sophisticated attacks, organizations must assume attackers could compromise internal systems as easily as they might attempt to breach a firewall into a production system.”

This is a developing news story. Threatpost will continually update this article as more information becomes available.