The attack towards Norsk Hydro ASA

The attack, which was apparently conducted using non-self-propagating LockerGoga ransomware³, hit 22,000 computers on 170 sites across the globe. Some analysts have suggested the entry vector to have been in Norsk Hydro’s site in the US, which would have enabled the perpetrator to bypass the Norwegian early warning system, VDI.⁴

According to the news reports the ransomware impacted the work of the entire workforce, including forcing the production lines to revert back into manual operations. Norsk Hydro refused paying the ransom and instead enrolled outside help for recovery support. In addition, they contacted the national authorities, including Norway’s National Investigation Service (Kripos) and the Norwegian National Security Authority (NSM), informing them about the attack. Sharing the information has helped authorities to dwarf similar attacks from taking place.⁵ Company’s response has also been applauded for its overall transparency, as the company has openly shared the information regarding the attack.⁶

Company’s latest update from November suggests that company has resumed normal operations, while an archived page snapshot from May indicated that company was still at that point forced to utilize manual operations and various workarounds in order to continue their business.⁷ All manual operations and workarounds increased the costs as processes were slower and not running as intended, while at the same time also decreasing the value creation, both impacting the bottom line. Additional costs from the attack were incurred as assets, such as computers, were lost and external consultation services were bought to support the company in its recovery effort.

The company estimated in its third quarter report the financial impact of the attack to be around 550-650 million NOK, or 54-64 million euros, on first half of 2019 with limited impact on figures on third quarter.⁸ The attackers had demanded ransom in bitcoins, but had not disclosed the sum they were after.⁹ While the company has reported to have a robust cyber insurance in place, by the end of third quarter Norsk Hydro reported that they have received only around 3 million euros, or roughly 5 percent of estimated costs and losses of the attack, in compensations from the insurers, including AIG. The company’s market capitalization, as calculated from company’s stock price, stands at the time of writing in 87 percent in comparison to the market capitalization figures prior the news about the attack started to make rounds in public realm.¹⁰

At this point, the attack appears to have been a criminal operation, where perpetrators had managed to gain and maintain an access to Norsk Hydro’s systems, widened their footprint while learning more about the IT landscape, and prepared for the launch of malware for a prolonged period of time. Even though a major event in itself as it stands, Norsk Hydro’s case could have been much worse, if the systems controlling the smelting process would have been rendered useless causing the solidification of metal and stopping the operations.¹¹

While nothing at this point links to a nation state actor, or their proxy operator, it is not farfetched to think how an attack like this could disrupt and damage nationally critical production lines at the time of impending crises, when the production would be need for example in support of national defense effort. Similarly, such attacks could be used in global competition to damage competitor’s reputation and ability to deliver products to their customers. This holds true particularly at times of heated geopolitical competition and economic warfare, like we currently have.

Lessons learned

• According to some sources, Norsk Hydro’s recovery process represents a gold standard among private sector companies with a global footprint. They reacted quickly and decided not to pay the ransom, they communicated clearly and transparently with the media and their investors, they quickly enrolled outside help to support in the recovery process and notified national authorities, and finally they successfully reverted back to manual operations where it was deemed necessary.
• All the above indicates a good level of preparedness, existing contingency plans, and series of exercises that have covered response to a cyber-attack. Sharing information with authorities prevented some similar attacks from taking place elsewhere. Norsk Hydro showed even a fair share of creativity in their response, as they called back some of their retirees to support with the manual operations.¹²
• The level of compensation from cyber insurance can be surprisingly low, in this case it is currently around 5 percent of the known damages and business losses. Compensation processes are also lengthy and resource consuming. Moreover, as the recent Merck case suggests, attacks considered to be terrorism or acts of war, like the notorious NotPetya case, may fall completely outside of insurance policy coverage.
• Criminal organizations do possess capabilities similar to nation state actors and can cause major damage to their targets and also to wider economy as the impacts and collateral damage ripple through the value chain.
• Global footprint of a company may lead into a situation, where matters such as local jurisdiction and export restrictions cause different geographic locations of the company to have varying levels of protection against cyber threats, while at the same time having access to same shared global IT infrastructure. Similarly, global footprint introduces the risk of becoming either a target, or collateral damage, for an attack having links to geopolitical competition.

Featured in Sectra Newsletter, December 2019