Norsk Hydro Has Fallen Victim To A Serious Ransomware
Ransomware played havoc in 2017, and later in 2019, we all thought that hackers have moved on to crypto jacking, which is a fast and reliable revenue source.
Not done, because cybersecurity experts believe that IT managers should still worry about ransomware because attackers are one step ahead. They keep innovating new ways to evade defenses.
If we look back at the statistics, there’s been an increase in ransomware attacks in recent times. According to Justin Warner, director of applied threat research at Gigamon, “Anyone responsible for the security and operations of IT assets needs to be prepared for the possibility of destructive attacks, as they affect companies of all sizes and all industries.”
Having said so, last Tuesday we saw a major ransomware attack on Norsk Hydro, one of the world’s largest aluminum producers.
The Oslo-based company witnessed one of the worst kind of cyber attack on its infrastructure. Their office IT systems and equipment management systems were down. The production slowed down because the company was forced to switch to manual smelter operations.
When the workers returned to work the next day, they were greeted with hand-written notes affixed to the entry door reading ‘not to connect any devices to the Hydro company network. This perhaps was the worst nightmare for their IT department.
The company detected the root cause of the problem on Friday and quickly got into action to restore their systems from backups. The operation continued at a slow pace, and they could only achieve 50 percent of the production target.
The company said in a statement said: “Hydro still does not have the full overview of the timeline towards normal operations, and it is still too early to estimate the exact operational and financial impact.”
Well, that is what Ransomware is all about that’s the thing about ransomware – it does damage. The more damage it does, the more likely people are to pay a ransom to the attackers.
“We’ve left the age of transnational crime, and now live in one of targeted, sometimes vindictive strikes seeking large sums of money, said Mark Sangster, VP and industry security strategist at eSentire.
Now compare ransomware with crypto jacking, well the latter is more stealth and build for the kill. Yes, it cost the victim when they have to incur more money in terms of energy costs or cloud computing, but that’s where the attacker gets smart and keep the attack at modest so that the malware is never detected.
The malware that hit the Norwegian power and metals giant Norsk Hydro is reportedly called LockerGoga.
“It appeared in January,” said Darren Mar-Elia, head of product at Semperis, a New York-based cybersecurity. He added, “we don’t yet have all the details, but one point that seems clear is that this attack leveraged the organization’s own infrastructure, in this case, Active Directory and Group Policy, to help it spread,”.
The world has seen enough about how the ransomware typically works and spreads and even making it difficult to detect. But, we fail to learn from the past and miss out on steps that companies can take to reduce such notorious attacks.
In order to use that infrastructure to spread the malware, the attackers gained Domain Admins access on Active Directory. Hardening your infrastructure can help tremendously.
Barak Perelman The CEO at Indegy, a New York-based cybersecurity firm, emphasized how the incident also underscores the need to keep critical systems isolated from one another.
That’s especially important for industrial control systems (ICS) – not only those used by manufacturers like Norsk Hydro but also data center management systems. “Many ICS devices are end-of-life, so vendors do not issue patches for them,” he said. “Meanwhile, restoring ICS systems from backups is often not possible, since logs and backups don’t exist.”
We at Hackercombat agree with what Bill Siegel, co-founder, and CEO at Coveware, said: Data centers should be particularly wary of ransomware, not only because of its damage potential but also because data centers can be particularly attractive targets for ransomware attackers.
A Data center appears to be a large organization with all that servers and system from the outside. And, obviously, the ransomware makers will think the data center is actually a large company” and set the ransom amount accordingly.
Ransomware obvious targets are manufacturing companies, because such companies cannot afford to lose time and the downtime is measured in millions of dollars/day, and CEO will be looking forward to paying the ransom at the earliest and put things back on track. This also exposes the vulnerable security network that has been ignored for years, as a result, the malware can quickly spread across the manufacturing plants and to other countries. Add to that the risk of spoilage, environmental incidents, and safety.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.