• Ransomware attack halts production plants of aluminum company Norsk Hydro

    22 March 2019

    Norsk Hydro, a Norwegian aluminum producer with global operations, has been the target of a LockerGoga ransomware attack on March 19 which has affected its IT network worldwide and impacted parts of its production. The Oslo- based company has since been working to contain the spread of the virus, which has forced it to shut down several metal extrusion and rolled products plants, which transform aluminum ingots into components for the automotive, construction, and packaging industries. As of March 21, operations have not yet been fully restored despite successful attempts to isolate the virus. No timeline has been provided as to when operations would normalize.

    LockerGoga: a low-risk, high-danger malware

    The LockerGoga ransomware has proved to be a low-risk, high-danger piece of malware since its earliest manifestations. It previously appeared on January 24 in the systems of the French engineering consultancy firm Altran Technologies. Threat researchers saw an upload of the ransomware from the Netherlands during the same week, and clues in the name and email address suggested Romanian and/or Polish origin. The ransomware’s spread, which threatened Altran’s operations across Europe, forced the consultancy firm to shut down its network and applications, and maintain its digital presence at a bare minimum. The company’s systems were eventually restored within the same week.

    The attack on Norsk Hydro started in the United States and subsequently spread across its worldwide IT network overnight. The company then took measures to contain the virus by isolating its factories and switching to manual operations and procedures. On March 20, it succeeded in detecting the root cause of the problems and was said to be working on a plan to restart the company’s information technology systems in a safe and sound manner.

    Affected divisions serve a range of manufacturing industries

    As an integrated aluminum company, Norsk Hydro operates six business divisions, including alumina, primary metal, rolled products, and extruded solutions. Most of the company’s worldwide energy plants and smelters remained largely unaffected by the attack, but reverted to manual processes. However, its production plants for rolled aluminum and extruded solutions were temporarily shut down on March 19 and 20 due to an inability to connect to production systems. Norsk Hydro operates metal extrusion plants across multiple countries, including the United States, Canada, Germany, Denmark, and Norway.

    In Austria, media sources reported that production lines at Hydro Extrusion Nenzing were partially halted on March 20 and employees sent home. Some parts of the production were also said to have reverted to manual processes. Both affected divisions are critical to the company’s downstream operation, serving a range of industries with bespoke aluminum components. The rolled products segment primarily supplies customers in the automotive, packaging, and transport industries, while the extruded solutions division offers precision parts to the construction and aerospace industries. Some of the company’s automotive customers include Audi, Peugeot, and Citroen.

    Norsk Hydro expected to restart certain systems in both business divisions on March 20, which would allow for the continued deliveries to customers. As of March 21, the production of rolled products was reportedly running mostly at capacity, with only a few exceptions being reported. However, production capacity levels at its extruded solutions facilities dropped to only 50 percent as the company worked to restart some of the affected plants and utilized stock to keep supplying customers. In its latest update, the company was unable to provide a full overview of the timeline towards normal operations, while stating it was also too early to estimate the exact operational and financial impact.

    Norsk Hydro intends to restore systems from backup servers

    According to industry experts, the LockerGoga malware does not self-propagate, and will likely not go beyond Norsk Hydro’s internal network. The ransomware is said to be different to the previous industrial cyber attacks such as WannaCry and Petya because criminals are targeting company networks and synchronizing encryption across their geographical regions to demand ransom from the company. On March 20, Norsk Hydro stated that it did not plan to pay the hackers to restore files and would instead seek to restore its systems from backup servers, the only alternative to regain access to data and applications.

    Until this process is replicated across the company’s IT infrastructure, which may be a lengthy process given the reach and multitude of countries with systems infected, Norsk Hydro’s rolled products and extruded solutions units may continue to experience production stoppages, delaying customer deliveries across a wide range of manufacturing industries.

    If operations are not restored to at least manual processes, the extent of the productive disruption may lead the company to declare force majeure. Those conducting business with Norsk Hydro should consult with their supply chain managers and IT professionals to formulate the most appropriate cyber risk defense measures.

Tagged in: