What can we learn from the Norsk Hydro Hack?

In mid-March the world’s 10^th largest aluminum producer switched to manual operations at some smelting plants following a “severe” ransomware attack. Norsk Hydro, which employs more than 35,000 people in 40 countries, was attacked Monday, March 18. Systems that managed production equipment had their data encrypted and disconnected from the company’s network, preventing Norsk Hydro employees from managing factory equipment. Hydro switched to manual operations, slowing down factory outputs and temporary stoppages as employees implemented manual work arounds. The biggest impact was on Norsk Hydro’s office IT infrastructure. Not having access to customer orders was the biggest problem they had to deal with in keeping production lines going.

Experts from Microsoft and Norsk Hydro’s IT security partners flew in to assist Hydro in getting business critical systems back to normal operation. The company’s Chief Financial Officer reiterated that Norsk Hydro does not pay hackers’ ransom demands and has already started restoring its IT infrastructure from backups. Overall, the incident has been described as disastrous by Hydro officials.

Hydro has since postponed its first-quarter earnings report by five weeks to June 5 from April 30, amid efforts to restore systems for reporting, billing and invoicing. The company reiterated that it has a cyber insurance policy to help cover the cost of the attack.

Why do you care?

Norsk Hydro said the cyber-attack would cost t up to 450 million Norwegian crowns ($52 million) in the first quarter. The Norwegian National Security Authority, the state agency in charge of cybersecurity, said the attack used a virus known as LockerGoga which encrypts computer files and demands payment to unlock them.

The first confirmed attack by the LockerGoga ransomware was in January 2019 when Altran Technologies got hit. Altran was hacked by phishing, while Norsk Hydro had Active Directory services and scheduled tasks injected into the network. Attackers were trying to negotiate the price by asking the affected companies to contact them via email. There was no fixed price per infected computer nor was any recommended cryptocurrency provided. The hackers used ProtonMail email addresses – an end-to-end encrypted email service – so the intention was clearly to make their actions more difficult to trace.

What can you do about it?

Norsk Hydro’s systems had four key elements:

1. They all ran Microsoft Windows.
   Read our next two blog posts to find out more about how obsolete Windows’ operating systems endanger security.
2. Files, including some system files, had been encrypted.
   By the time you realize that your files are being encrypted, it is too late. It is critical to ensure that your anti-virus and malware protections are up-to-date, installed and in use everywhere on your systems.
3. The network interface on every system had been disabled.
   Applications, system interfaces, web pages, HMIs all need to be protected and segregated by type. Wonderware is not a replacement for cybersecurity. You user interface is not secure.
4. The local user accounts on every system had their password changed.
   This was may have been the first time that all of Norsk Hydro’s user passwords were changed and it took a malware attack to do it. What’s your policy and when were your user passwords last changed?
   
   Static analysis revealed that LockerGoga enumerates the infected system’s Wi-Fi and/or Ethernet network adapters. It then disables them via command line to disconnect the system from any outside connection. LockerGoga runs this routine after its encryption process but before it logs out the current account. Its file encryption routine could be considered less consequential since LockerGoga already locks the user out of the system by changing the accounts’ passwords.

Because of this behavior, you can protect from an attack by:

1. Updating your virus protection daily, NOT weekly or monthly;
2. Regularly changing WiFi and Ethernet hardware passwords and storing them in an encrypted location;
3. Disabling command line access for workstations that are not used by administrative IT security personnel; and
4. Training, training, training all personnel to resist phishing attacks. All it takes is one person with access to your company’s email system who clicks on a phishing message and your entire contact list and address book(s) are in the wild.

Below is an employee warning sign against connecting devices to the network in the wake of a cyber-attack is seen at the headquarters of aluminum producer Norsk Hydro in Oslo, Norway March 19, 2019. REUTERS/Gwladys Fouche/File Photo

Attackers placed the ransom note below on their business and some production systems across the world.

To see the latest Athens Group Services developments, please follow us on Linkedin and Twitter.