AMM.com
Copying and distributing are prohibited without permission of the publisher

How the Norsk Hydro cyberattack unfolded

Aug 22, 2019 | 04:00 AM | New York | Andrea Hotter


In March of this year, Norwegian aluminium producer Norsk Hydro was the victim of a cyberattack. Fastmarkets goes behind the scenes to find out how events unfolded, and what has happened since.

Hilde Merete Aasheim woke to the sound of the phone ringing. It was 4am in Oslo, and she had just been named as the new chief executive officer of Norsk Hydro.

What happened next can only be described as a baptism by fire for the Norwegian executive.

“It was Monday March 18, and my appointment as Norsk Hydro CEO had been announced that day. I read the media coverage and analyst reports before I went to bed and thought, ‘Okay, nobody really opposed that I was the new CEO,’” she tells Fastmarkets.

“I went to bed, and then at 4am on Tuesday March 19, the phone rang. I answered, and a voice said, ‘Hilde, we are under serious cyberattack. This is not an exercise. You had better come to work.’ I wondered, is this a joke, is someone testing me?” she says.

But it was neither a joke nor a test. Norsk Hydro was in the midst of the metals and mining industry’s first publicly disclosed cyberattack.

The first signs of the hack came a few hours earlier, when Norsk Hydro executives noticed computers in the company’s global network locking simultaneously.

A ransom demand message popped up on the screen: “Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decode it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data.”


An image of the message sent by the hackers as a ransom note
Norsk Hydro

The message continued, giving Norsk Hydro instructions to send some encrypted files to two email addresses so the hackers could prove they were the able to decrypt them. Payment in bitcoins was also demanded; the hackers didn’t specify how much, but said the cost would increase the longer Norsk Hydro waited.

The hackers even told the company to be “thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun”.

It was relatively new ransomware known as LockerGoga, and it has been paralyzing industrial and manufacturing firms this year. It had already claimed French engineering consultancy Altran Technologies as a victim earlier in the year; US chemical firms Hexion and Momentive were both hit a few days after Norsk Hydro, although Momentive described the attack as a ‘global IT outage.’

Arriving at the company’s head office in Oslo, Aasheim had immediately noticed how quiet it was. The company’s IT department had already taken the decision to try to contain the virus by shutting down Norsk Hydro’s servers and systems. The attack was global, impacting Norsk Hydro’s 170 sites and 35,000 employees around the world.

“We couldn’t use any computers. The only thing we had was paper and pen, and we had to put hand-written notices on the entry, stairs and lifts saying, ‘we are under attack, don’t use your PC.’ We couldn’t even print as our printers are connected to the servers,” Aasheim said.

Able to access email on their personal mobile phones, Norsk Hydro executives made signs saying “cyberattack” and took photos of them to send to the company’s network of offices and plants. Staff in those locations had to go to local printing shops in order to create the necessary notices to alert teams arriving at work.


Notice informing staff of the cyberattack
Norsk Hydro

“We had included the potential for a cyberattack in our risk management and had done several training exercises, but you can’t imagine what it’s like until you’re in the midst of it,” Aasheim said. “You’re almost blindfolded. You have to be as prepared as possible and then you have to improvise along the way,” she added.

How it happened
It was immediately clear from its impact that the attack was highly sophisticated.

Eivind Kallevik, then chief financial officer and recently appointed head of primary metal, was placed in charge of the emergency response.

“While we don’t have any indication as to who was responsible, it was not a teenager sitting in a basement. Getting entry to our systems isn’t easy. It’s quite scary in terms of the time and resources the hackers used to build credentials and gain access,” he told Fastmarkets.

The hackers had chosen their patient zero months in advance: an email conversation with a Norsk Hydro customer. It was not a classic phishing scheme; incredibly, the malicious software was embedded in an attachment that Norsk Hydro would typically expect to receive as part of a legitimate email conversation with a known counterpart.

“It was a Trojan horse giving the attacker a foothold within our company IT infrastructure. It followed the typical pattern of ransomware attacks in that it had been in our systems for a while,” Kallevik said.

Once the attachment was opened, it allowed the hackers access to the Norsk Hydro system. From that point on, the hackers worked their way into the active directory, which identifies each employee by a username and login to determine they are a legitimate person in the organization.

The hackers worked their way up until they had sufficient administrative rights to move around the Norsk Hydro system freely; at that point, they could even create new accounts. The virus was placed throughout the system and eventually launched by a code.

Production impact
By affecting the company’s ability to access its systems, the attack also impacted industrial production at some of Norsk Hydro’s sites.

Fortunately, energy, bauxite and alumina managed to run as normal, while the primary metal plants also continue as usual with a higher degree of manual operations. The inability to connect to the production systems had only a limited operational impact on the rolled products operations, which were mostly back to normal within a couple of days.

Badly affected, however, was Norsk Hydro’s extruded solutions business, which relies on highly specialized customer-specific data being fetched from the servers detailing what to produce. As a workaround, any orders that the company had access to on paper had to be manually punched into the systems. Once these were fulfilled, production had to stop.

Relying on manual processes is increasingly viewed as old-fashioned. But one member of the Norsk Hydro sales team at a plant in Belgium became an in-house hero when he revealed that he printed out every order and kept the pages in binders. Fortunately for his colleagues, this meant the plant could continue to produce throughout the crisis.

Other plants were not so lucky - some operations had to temporarily halt production from the outset. In some instances, stockpiles were used to service customer orders.

Back at 85-90% capacity in extruded solutions by April 12, it took more than a month to achieve full operation.

“Sales staff worked on the shop floor, and former retired former employees volunteered to come back and help because they knew how the old paper systems worked. There has been a lot of creativity in motion in order to keep the wheels going,” Kallevik said.

“We understand that for some customers, we’re a critical line of supply, but we appreciate the understanding they gave that we were doing everything that we could in the situation to fulfil orders,” he added.

Once the clean-up methodology was ready, Norsk Hydro staff took turns driving it to other company locations in their own cars to help clean up systems.

The financial impact of the cyberattack to date is estimated to have been NOK 300-350 million ($33-39 million) in the first quarter of 2019 and NOK 250-300 million in the second quarter.

What next
Norsk Hydro immediately took the decision not to pay the ransom and to go public with the news of the attack.

It reported it to Norway’s National Investigation Service (Kripos), which is a branch of the Norwegian police, working with other authorities including the Norwegian National Security Authority (NSM). The situation is still under investigation.

The forensic team - including technology providers - investigating the situation has remapped what happened, tracking backwards to see how the hackers moved around the system and confirming how sophisticated the attack was.

“The attack showed us the importance of being open. It’s only with cooperation with the police and learning from each other that we can start to build sufficient and valuable defenses against these attacks,” Kallevik said. “What we have seen and learnt is that there are significantly more companies being attacked successfully that are not being transparent about it afterwards,” he added.

According to Kallevik, if victims of cyberattacks do not share viruses with the anti-virus companies, they are not able to build and adapt protections, leading to more companies than necessary being hit.

“We know from the police that, based on the information we provided and the fact we reported it, they had been able to prevent attacks on other companies that were being planned from happening,” he said.

Despite the effect on its business, not paying the ransom is the right choice, he believes.

“Hacking is a business on its own - if these criminal organizations have a return on their investments, they’ll continue to do it. Recovery from a cyberattack takes time.”

Although Norsk Hydro’s cyber defenses are industry standard, the company is not reticent about the likelihood of another attack in the future. For Aasheim, it is only a matter of time.

”We gained unique experience in the situation that the network was completely down, which you never will experience under normal operations. We had to rebuild from scratch, an opportunity we used to re-design and strengthen our systems,” Aasheim said. “We are sharing our experience as industry players will become victims of future cyberattacks, whether it is us or someone else,” she added.