Global Aluminum Manufacturer Still Recovering From Ransomware Attack
Norway's Norsk Hydro, the company ensnared in one of the week's biggest stories – a ransomware attack that crippled its systems – is still in the process of recovering.
The aluminium maker took a step in the right direction on Wednesday when it was able to bring its website back online, a day after the attack, and provide users with an update on the incident.
New https://t.co/ooOMXewQvN launched: A bit earlier than planned, but we are now live with our new webpages!
From now on, this will be our primary communication channel regarding the cyber attack. Visit us at https://t.co/3v0P0gIt2o pic.twitter.com/yyItuweTTD
— Norsk Hydro (@NorskHydroASA) March 20, 2019
Until that point the company, which has a global presence but is largely based in Norway, was forced to issue updates on the attack via Facebook.
The company said Wednesday that in addition to its site being back online, its Energy plant and Bauxite and Alumina plants are running normally. Hydro’s primary metal and rolled product production centers are experiencing some challenges as a result of the cyberattack however. The company's Extruded Solutions plants were also experiencing an inability to connect to the production systems following the attack.
Specifically, some plants are experiencing difficulty stemming from an inability to connect to the company's producing systems. In lieu of that connectivity the company said its gone to manual operations at its primary metal plants.
In a press conference on Wednesday the company's Chief Financial Officer Eivind Kallevik lauded the company's quick turnaround.
"I'm pleased to see that we are making progress, and I'm impressed to see how colleagues worldwide are working around the clock with dedication to resolve this demanding situation and ensure safe and sound operations," Kallevik said, "I would also like to complement our external technical partners who have done an important job in supporting our efforts, and also relevant authorities, who handle the issue with the diligence it deserves."
In a disclosure to the Norwegian stock exchange, the company said there was no indication that plants outside of Norway were impacted by the attack. That statement that conflicts a report from Reuters, which earlier that day said that plants in Quatar and Brazil were affected and forced to operate manually.
The company, which called the attack "quite severe" on Tuesday, acknowledged the attack did force some of its plants, where metal is manufactured for cars and construction goods, to stop temporarily. After assessing the damage, the company says it isolated its plants and operations and switched to manual operations and procedures to mitigate further repercussions.
It's believed a relatively unknown strain of ransomware, LockerGoga, is responsible for the attack. NRK, a Norwegian government-owned radio and TV station, reported late Tuesday, citing NorCERT, that the ransomware was deployed by Active Directory. LockerGoga reportedly doesn't require a network connection or a command and control server. A sample of the malware was uploaded to VirusTotal by a user from Norway to very little anti-virus detection on Tuesday morning, perhaps indicating how it managed to
Kallevik declined to say LockerGoga was explicitly behind the attack on Tuesday.
The ransomware was last seen in January, when Altran Technologies, a French engineering consultancy, was purportedly hit by it. Altran, after contracing a third party forensics team, said it didn't appear any of its clients had been affected by the ransomware and that no data was stolen or lost.
News of the attack first broke Tuesday morning after NRK relayed a message from the Norwegian National Centre for Cybersecurity that the company's IT systems were held being hostage.
A sign in the window at the company's headquarters that quickly went viral after the attack urged users not to connect devices to Hydro's network or to turn on any devices that are connected to the network.
The company told reporters at a press conference in Oslo on Tuesday that it intends to restore systems from back-up data and that it has a cyber insurance policy. Kallevik also said the company doesn't have any further details on who the attackers may be or what their ransom demands may be.
The company said at the time it was working to contain and neutralize the attack. It also said - and continues to maintain - that it's too early to know when things will get completely back to normal.