Metallurgical giant Norsk Hydro attacked by encrypting malware

On March 19 2019 Norsk Hydro, one of the world’s largest aluminum producers revealed that ransomware had been used in an attack against them. The Norwegian firm was attacked on March 18 and production processes at a number of facilities in Norway, Qatar, Brazil and other countries were affected.

The incident

According to the information shared at the press conference, Norsk Hydro security personnel discovered ransomware infections during the night of March 18-19. Steps were immediately taken to prevent further infections by the malware. However, the malware had already penetrated systems in Norsk Hydro’s distributed network.

The attack affected both corporate and industrial systems. For instance, the industrial networks at several extrusion and rolled product plants were infected, which resulted in parts of production systems being impacted. In turn, this caused difficulties and temporary stoppages in production. Some operations were switched to manual mode to continue production.

The Norsk Hydro website was also temporarily unavailable.

Norsk Hydro representatives have not named the malware nor the exact number of affected computers. According to their Facebook post, the incident did not put the lives of any employees at risk or affect the power plants, where the IT systems are isolated.

Norsk Hydro is currently conducting an investigation in cooperation with Norway’s National Criminal Investigation Service.

LockerGoga

NorCERT researchers have stated that Norsk Hydro was the victim of a LockerGoga encryption malware attack. This malware had also been used to attack the French firm Altran Technologies in January 2019.

LockerGoga is a relatively new family of encryption malware. The Trojan is written in C++ using the Boost and CryptoPP libraries. It uses a hybrid of AES + RSA 1024 to encrypt files, whereupon the encrypted files get an additional extension: .locked.

It is quite possible that a compromised user account with admin privileges was used to penetrate the Norsk Hydro network. This would have made it possible for the malicious file to be dropped in the Netlogon folder, which can be accessed by all computers on the corporate network. The attacker then merely needed to configure the group policy to make all of the servers and computers execute the malicious file with maximum privileges. This method would allow LockerGoga to spread rapidly across the network without making copies of itself. Moreover, by using the Active Directory service the threat actor evades the corporate firewalls.

So far, the initial infection vector used by LockerGoga has not been identified. Cisco Talos researchers believe that the attacker may have used various methods, including exploiting vulnerabilities and phishing in order to obtain user credentials. Earlier versions of LockerGoga encrypted user data and then showed a ransom demand in Bitcoins. Later versions not only encrypted files, but also forced users to log off and blocked all attempts to log back onto the system. In these cases, users were not even able to see the ransom demand. Thus, these later LockerGoga samples can be classed as wiper malware.

We do not know yet which version of Lockergoga was used in the attack on Norsk Hydro. However, according to a company spokesperson, the corporate network was infected with ransomware, but Norsk Hydro has no intention of paying the ransom.

Norsk Hydro continues efforts to neutralize the attack and mitigate its consequences. All employees have been asked not to turn on their laptops and not to connect any external devices to the corporate network, including smartphones and Touch Memory electronic keys. Backup copies of systems and databases are being used to restore normal functionality to the network.

As of March 21 all sites were isolated, and the malware was no longer spreading across the company’s network. However, a number of production systems were still working in manual mode.

Conclusions

Even though the investigation is still in progress, we can already draw a number of conclusions about possible reasons for the incident and factors which affected the scope of its consequences.

Lack of network segmentation is one probable reason for the widespread infection. A properly segmented network would have prevented a massive infection and helped contain the attack.

A compromised user account with admin privileges could well have served as another factor which led to the malware’s rapid spread. This could have happened as a result of an earlier phishing attack.

Moreover, the fact that the malware was able to penetrate and infect systems tells us that the antivirus protection used by the company was not sufficiently reliable or that the antivirus databases were not updated. LockerGoga is a relatively new malware family, but it is well known already, and most leading antivirus vendors detect it successfully. Kaspersky Lab products detect this family of Trojans as Trojan-Ransom.Win32.Crypren

Despite the large-scale consequences of this attack, we do need to note the positive factors which help minimize the incident’s impact. These include:

• A prompt response to the attack, resulting in infected installations being isolated quickly.
• The rapid switchover of production processes at the affected plants into manual mode, which allowed production to continue.
• Isolating the power plants’ industrial networks from the corporate network, which prevented them from being infected.
• Backup copies of data, which should allow Norsk Hydro to restore encrypted data.
• Norsk Hydro has cyber risk insurance, which should cover some of the expenses related to the incident.