Security Experts:

Industry Reactions to Norsk Hydro Breach: Feedback Friday

Norwegian aluminum giant Norsk Hydro has been hit by a serious ransomware attack that caused disruptions at some of its plants and forced the company to turn to manual processes to fulfill customer orders.

The attack appears to have involved file-encrypting ransomware known as LockerGoga. However, Norsk Hydro claims it has good backups in place that should help it restore compromised files without having to pay the ransom.

The incident initially had a small impact on the company’s shares, but they quickly recovered. The price of aluminum also increased following news of the incident, but it also started to recover.

While Norsk Hydro could not share too much technical information on the attack due to the ongoing law enforcement investigation, it has been applauded by many for the way it has handled the incident and for being transparent.

Industry reactions to Norsk Hydro breach

Industry professionals have commented on the incident, the way Norsk Hydro has responded to it, its implications, and what companies can do to protect their systems.

And the feedback begins…

Hani Mustafa, CEO, Oslo-based Jazz Networks:

“They didn’t remotely store information so that it remained accessible when machines were pushed offline. In other words, they didn’t have a “black box” recording everything that happened when their plane crashed. Once their machines went off the grid, they lost the ability to understand what happened and piece it back together.

 

They kept their networks and admins under one domain. Norsk Hydro had all their eggs in one basket, so when the fire started, it spread everywhere quickly. The ransomware enabled the changing of administrator passwords, and since everything was under the same domain instead of a mix of network segmentation and separate administrated domains, the attack spread fast once it hit.

 

Their systems weren’t updated. Norsk Hydro has a lot industrial control systems for their networks because they run a lot of plants. It’s likely they were not running the same version of windows across the board, and when you have older versions mixed in, it makes it much harder to regain control once under attack.”

Cybersecurity expert Kevin Beaumont (blog post on his thoughts and analysis of the attack):

“Hydro started the best incident representation response plan I’ve ever seen — they had a temporary website up, they told the press, they told their staff, they apparently didn’t hide any details — they even had daily webcasts with the most senior staff talking through what was happening, and answering questions.

 

In contrast to some other incidents, their stock price actually went up — despite a difficult trading period for past 2 years involving some major business setbacks, they have actually gained in value.

[...]

Organisations should look at how Hydro disclosed and dealt with the issue so far in the public arena. It looks like it may be a textbook example of how incident response should be done, with transparency and openness. Not only the public and media perception went well, but the business end went well too — people didn’t sell off shares because they felt genuinely informed and that Hydro had a dire situation under control.”

Ray Walsh, digital privacy expert, BestVPN.com:

“The surge in the price of aluminum since the cyber attack on the Norwegian producer Norsk Hydro is a stark reminder of the possible ramifications of targeted cyber attacks. Anytime that a large firm has a strong direct influence on the production of a material, it is possible that a large attack of this nature could disrupt distribution levels and therefore affect prices.

 

For the time being, it is impossible to say who carried out this attack. However, considering that the world's largest producers of Aluminium are Chinese, there is the possibility that this was a Chinese-led attack cyberattack designed to force the price of the commodity up. This is definitely the kind of cyberattack that we can expect to see more of in the future, with the possibility of purchasing large quantities of a particular commodity before enacting a cyberattack amounting to insider trading.

 

On the other hand, it is possible that this is a vigilante-style cyber-attack carried out by a disgruntled environmentally conscious hacking collectives such as Anonymous. In the past 12 months, the Norwegian Aluminium producer Norsk Hydro has suffered a lot of bad press - and a loss in share value - due to claims of environmental damages following floods at a production plant in Brazil. We could be looking at a revenge style attack designed to further hurt the share value of a firm that is already suffering from the fallout.”

Malcolm Taylor, Director Cyber Advisory, ITC Secure:

“Supply chain risk through cyberattack has come to the fore recently. Not, I believe, because it’s become a greater issue or because of attacks like this which are highlighting it, but simply because there is a growing understanding of the inter-connected nature of modern commercial activity and just in time production, and crucially how empowered that is by technology. It may also be a factor, though I think sadly a smaller one, that as firms mature their cyber security, they have the wherewithal, in terms of understanding, time and budget, to begin to get to grips with the problem of their suppliers, which has made the issue gain prominence.

 

It’s surprising to see the amount of suppliers and third parties which corporates have; certainly for a mid-tier company this can easily be in the thousands. We’ve seen companies with over 20,000; that’s quite a challenge to manage, even with good technological solutions like ours. The basics of good information security apply, as they do for individual clients. Good risk management, appropriate and maintained security controls underpinned by great leadership and governance. Train your people. Do the basics - much ransomware can actually be caught and stopped by good anti-virus, for example. Add that to good patching and have regular backups just in case, and your risk has already dropped significantly. But, also think about suppliers. They bring and carry risk too.”

Tyler Moffitt, Security Analyst, Webroot:

“LockerGoga is a new ransomware variant that appears to be targeting European companies. So far, the notable victims have been Altran in France on Jan. 25 and Norsk Hydro in Norway in the past 24 hours. The encryption process used by LockerGoga is slow because it creates a new process each times it encrypts a new file and also exhibits no detection evasion techniques, showing a lack of sophistication. LockerGoga was signed using a valid Digital Certificate which has since been revoked.”

Dean Weber, CTO, Mocana:

“The Norsk Hydro attack goes to show that the reliance of operational technology (OT) systems on information technology (IT) platforms means that any attack is likely to impact both in industrial environments. By targeting and disabling IT systems, adversaries are able to cause a variety of subsequent issues affecting OT input/output, storage, data recorders, ICS/SCADA platforms and more. Why is the impact so widespread? Professionals are forced to disconnect IT systems for either protection purposes or for remediation activities.

 

Because ransomware is typically focused on financial gain, it is unclear if these were the intended consequences of the attack. However, we can not rule out the possibility of the Norsk Hydro attack appearing as a misdirection attack with other targets being masked.”

Casey Ellis, CTO and Founder, Bugcrowd:

“LockerGoga maybe a relatively new strain of ransomware, but it’s behaviors are similar to others we’ve seen in the wild. LockerGoga uses network vulnerabilities to spread through ICS shops still running mostly on Windows XP and Windows 7. Because of their dependence on legacy operating systems and configurations, ICS/OT systems are especially vulnerable to this type of attack and should take more preventative measures to protect themselves.

 

It will be interesting to hear if this was a targeted attack, or if Norsk Hydro was simply caught up in the proliferation of ransomware across the Internet. The fact that they closed so many geographically separate operations suggests that the malware spread rapidly once it was inside their networks. Thankfully, Hydro has cyber insurance and data backups or else this might have been a very expensive mess to clean up.”

Sam Curry, Cybereason, CSO:

NotPetya/Wannacry ransomware attacks drove an immediate awareness of a new class of attack and for a time reminded everyone that existing prevention tools don’t stop the riskiest of attacks. Unfortunately, it came at the expense of peace of mind and drove FUD (fear, uncertainty and doubt) in managers. With these latest developments, it is too early to surmise if the Hydro breach will result in material losses for the company and their customers. Years ago, ransomware came on the scene in a world with no protection like a disease in an exposed population. Now we understand it, and the adversaries no longer use it for smash and grab campaigns but rather surgically and to cover their traces. They drop it in specific places to trigger processes, to reimage and clean an area that has vital forensic evidence about their activities. Stimulus and response of the IT department to do the hacker’s dirty work for them.

 

Most companies have contingencies and tools now that help with ransomware, and that makes it feel like an understood and contained risk. However, that’s for the most part a false sense of security because most of the lack of recent Ransomware outbreaks is due to the attackers using it differently, not because defenders are stopping it better. In reality, ransomware attacks worldwide have been dramatically dropping for years. Attackers today are using ransomware more surgically. In the cybersecurity industry, companies built an immunization plan ensuring that products had strong anti-ransomware options available. Some even discovered vaccines.

Mark Sangster, VP and Industry Security Strategist, eSentire:

“If you’re an organization whose machinery relies heavily on computerized systems to operate, you must apply behavior-based alerting and enforce “least privilege” access throughout systems. Alerts must also be investigated; it doesn’t help if the warnings fall on deaf ears. Applying tactics like this to any failure points you’ve identified will reduce the chance of ransomware getting into your network and disrupting business.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.