Major Aluminum Manufacturer Hit With Cyber Attack Stopping Worldwide Production

Norsk Hydro, one of the world’s largest aluminum producers has been forced to shut down several production plants across Europe and the US after a cyber attack rendered their IT systems unusable.

In a Press Release dated 19 March 2019, Norsk Hyrdo stated:

As communicated earlier today, March 19, Hydro has been subject to an extensive cyber-attack, impacting operations in several of the company’s business areas.

As a result of the “extensive cyber-attack” Hyrdo is switching to manual operations and procedures as far as it is possible to do so.

The appears the cyber attack began in the US and was first detected late on Monday evening by the company’s IT team. The attack was in full force by Tuesday. The investigation into the attack is ongoing.

In a post on Facebook dated March 20 Norsk Hyrdo said:

Hydro has made progress in securing safe and stable operations across the company, following an extensive cyber-attack that hit on Tuesday.

Hydro’s technical team, with external support, has succeeded in detecting the root cause of the problems and is currently working to validate the plan and process to restart the company’s IT systems in a safe and sound manner. However, it is still not clear how long it might take restore stable IT operations.

The Norsk Hydro systems were hit by a relatively new malware known as LockerGoga.

LockerGoga is a relatively new ransomware that first made the news in January after it was reportedly used in a cyber attack on Altran Technologies, a French engineering consultancy firm. Once LockerGoga has installed on a system it modifies the users’ accounts by changing their passwords – locking users out of the system. It also attempts to force log out any users that are logged into the system at the time of the attack. Then the malware proceeds to encrypt stored files. Once the files have been encrypted, the ransomware will leave a note in the form of a text file in the desktop folder.

The note is typical of ransomware notes in that it asks for payment in Bitcoin in exchange for decrypting the system files. However, the note is somewhat wordier and more tongue and cheek than the usual ransom note. Whoever has written the note seems to have a good command of the English language and its colloquialisms.

Below are some snippets from the ransom note:

Greetings!

There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun…

The payment has to be made in Bitcoins…

The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security…

Norsk Hydro CEO Eivind Kellevik described the situation as “quite severe” since the entire worldwide network is down and affecting production. Hydro has stated they will attempt to restore their systems using backup data.