Norsk Hydro, a leading European aluminum company with operations in more than 50 countries, was hit by a LockerGoga ransomware attack on March 18. The attack was far-reaching, with Norsk Hydro’s chief financial officer Eivind Kallevik sharing that “the entire worldwide network is down, affecting our production as well as our office operations.” As a result, production was halted in several of its plants for a short time. Luckily, there was minimal production loss.
How Does LockerGoga Work?
It’s important to note that the attack vector isn’t currently known. It’s possible that somebody either logged in with stolen admin credentials, or that the network was accessed through a compromised vulnerability. Although the second possibility may seem unlikely (LockerGoga itself doesn’t appear to exploit vulnerabilities) there’s still a chance that it could be payload following another exploit. Until they identify how the initial computer was compromised, it’s important not to rule any potential attack vector.
How Did LockerGoga Spread Through Norsk Hydro?
The LockerGoga attack on Norsk Hydro started at one of their U.S. plants, and the ransomware spread via Norsk’s Active Directory. Active Directory is a Microsoft service used to manage computers and network devices, allowing network admins to create and manage domains, users and objects. If someone has control over an organization’s Active Directory, they have control over the entire network.
LockerGoga was then transmitted to other Norsk Hydro facilities, affecting global production and office operations. After the attack was identified and contained, all employees were put on high alert — one image has been shared of a sign at their headquarters warning staff not to connect devices to the network.
At the time of writing this blog, Norsk Hydro is still working on its recovery plan, but it appears they’re attempting to use backups rather than pay the ransom to decrypt the original files. They haven’t yet established a clear timeline for when they might be fully operational again, and until that time, they’re back to manual processes.
LockerGoga and the Larger Trend
Although this attack may not have exclusively targeted Norsk Hydro’s OT systems, the fact that traditional IT attack tactics like ransomware are impacting OT should cause concern. The Norsk Hdydro attack is only a recent entry in the growing history book of cyberattacks on OT:
- The same ransomware, LockerGoga, was linked to an attack on a French technology consultancy group, Altran Technologies earlier this year.
- Also in 2018, exploits delivering OmniRAT malware targeted companies affiliated with Kuwait Oil Company in the Middle East, likely also with extensive OT networks due to their role in the energy sector.
- Just before the New Year, Shamoon reared its head again, wiping disks of hundreds of computers at oil giant Saipem.
What Should Businesses With OT Networks Do?
To protect an OT network from the growing threat, first and foremost, organizations must have good visibility into OT environments in terms of accessibility and risk — and how its connections to the IT environment affect them. With that visibility, organizations should:
- Understand and improve network segmentation to isolate critical or vulnerable assets
- Prioritize patching of exposed or exploited vulnerabilities, limiting opportunities to deliver malicious payloads like LockerGoga
- Identify other security weaknesses such as overly permissive access or configuration issues
OT Networks Saw Attacks Continue to Rise in 2018: Attacks on OT networks continued to increase by 10% in 2018. The number of attacks in 2019 will likely continue to climb
Kuwait Oil Company Spreadsheet Delivering OmniRAT to OT Networks: A weaponized Excel file titled “Kuwait Oil Company Business Profile” breathes new life into an old vulnerability, raising concern for unsuspecting OT networks