Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

Aluminum Giant Norsk Hydro Hit by Ransomware

Crypto-Locking Malware Attack Results in 'Temporary Stoppage at Several Plants'
Aluminum Giant Norsk Hydro Hit by Ransomware
Hydro aluminum plant in Commerce, Texas. (Photo: Michael Barera, Creative Commons)

Norsk Hydro, one of the world's largest aluminum producers, has been hit by a crypto-locking ransomware attack that began at one of its U.S. plants and has disrupted some global operations.

See Also: Mandiant Cyber Crisis Communication Planning and Response Services

Officials at Oslo, Norway-based Hydro said the attack began Monday and escalated throughout the evening, affecting multiple business areas globally. The company's operations span 50 countries; it has approximately 35,000 employees.

In a Tuesday press conference, company officials said they plan to restore affected systems using recent backups. The company is still working to identify and fully eradicate the virus.

"Let me be clear: The situation for Hydro is quite severe," Hydro CFO Eivind Kallevik said. "The entire worldwide network is down, affecting our production as well as our office operations. We are working hard to contain and solve the situation and to ensure safety and security of our employees."

Bente Hoff, a director of cybersecurity in the Norwegian National Security Authority, said the ransomware may be a strain known as LockerGoga.

"We are helping Hydro in this," she said at the press conference, adding that her authority was working with Norway's National Criminal Investigation Service - a special agency of the Norwegian Police Service known as Kripos - as well as the country's intelligence services.

Hydro, which is the second largest business in Norway, says the full extent of the attack remains unclear, but it says all affected plants have been isolated from the global network.

Cyberattack Warning

The press conference followed the company issuing a warning earlier Tuesday that it had suffered a cyberattack.

"Hydro has been subject to an extensive cyberattack, impacting operations in several of the company's business areas," the company said in a statement issued via Facebook.

"Around midnight [Tuesday], Norwegian time, our IT experts noticed unusual activity on our servers within our global IT systems," Kallevik said. As the attack was spreading, the company's internal IT team worked rapidly to attempt to contain the damage, he added. "This virus is a so-called encryption virus, also commonly known as a ransom virus or ransom attack."

The company said it plans to wipe and restore affected systems using backups. "We have good backup solutions and good routines for that in the company, and that is the main target for how we will get the operations back to normal is to reinstall the data we have from the last backup data, and that is recent," Kallevik said.

As of Tuesday, Norsk Hydro's website remained offline. The company has been using Facebook to communicate.

Kallevik said Hydro carries cyber insurance.

Infections Isolated

The company said all affected plants' IT networks have been isolated.

"Hydro has isolated all plants and operations and is switching to manual operations and procedures as far as possible," including for some aluminum-producing smelters, the company explained. "Hydro's main priority is to continue to ensure safe operations and limit operational and financial impact. The problem has not led to any safety-related incidents."

Running more operations manually, the company said, means having to bring on more workers at once, as it did until several years ago, until it put more automated operations into place.

"IT systems are impacted and Hydro is switching to manual operations where possible," the company reported on Tuesday.

Hydro said it's producing orders based on printouts of the orders that it already made and that it has sufficient information to fulfill at least the orders it was planning to produce Tuesday.

Hydro said all energy production and bauxite and alumina production is running normally. For its primary metal production, it said all plants in Norway as well as remelters are continuing to run normally, albeit "with [a] higher degree of manual operations," while all other primary plants abroad remain unaffected.

For the company's extruded solutions and rolled products, a "lack of ability to connect to the production systems is causing production challenges and temporary stoppage at several plants," it reported

Hydro said the situation is continuing to evolve. "Hydro is working to contain and neutralize the attack but does not yet know the full extent of the situation. It is too early to indicate the operational and financial impact, as well as timing to resolve the situation," it said. "Hydro is doing its utmost to limit the impact on customers."

Life After NotPetya

The attack against Hydro appears to mirror in some ways the outbreak of NotPetya malware in 2017. More than 12,000 organizations across at least 65 countries were affected by the outbreak, which crypto-locked their systems. But there appeared to be no way to decrypt affected devices.

Victims included TNT Express, Danish shipping giant Maersk, multinational law firm DLA Piper, British advertising firm WPP, Russian oil producer Rosneft, hospitals in the Heritage Valley Health System in Pennsylvania and U.S.-based pharmaceutical giant Merck. Many affected firms said the outbreak left them with a hefty recovery tab (see: FedEx Warns NotPetya Will 'Negatively Affect' Profits).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.