Ransomware Attack Hits Aluminum Producer Norsk Hydro
Brandon Workentin, ICS security engineer, Forescout
Norsk Hydro, one of the largest aluminum producers in the world, has been the victim of a malware outbreak and ransomware attack (1) which has affected its operations worldwide, illustrating how cyber is becoming physical.
Cyberattacks and ransomware outbreaks can cause costly disruption and push organisations to manual processes for business continuity, which is especially impactful to operations that span diverse, multi-campus operational technology (OT) environments such as Hydro’s.
Hydro is involved in all parts of the aluminum manufacturing process, from refining to manufacturing of products used in construction and industry. News of the cyberattack was released publicly on Tuesday morning, when the company’s main web page was used to announce the impact on the business.
Hydro has been forced to switch to manual operations at many sites although some locations, such as their hydroelectric dams, have been able to continue to function, as they were apparently not connected to the main corporate networks which were affected by the ransomware attack. Hydro said that aluminum plants in South America and the Middle East were not affected by the ransomware attack.
First, Hydro should be commended for their efforts to share information about the attack and the effects it has had. The company has been working with the Norwegian National Security Authority (NNSA), the state agency in charge of cybersecurity, and both the NNSA and Hydro have been willing to share information about the situation. The NNSA has said that the attack involved the LockerGoga family of ransomware (2), and Hydro’s CFO, Eivind Kallevik, gave a news conference to discuss the financial impact of the attack and the company’s efforts to contain and remediate it. By quickly working with the governmental authorities, Hydro has allowed information to be shared with other companies, and it is likely that the NNSA has been able to share even more detailed information with other private companies through private channels.
NorCert (Norway’s National Computer Emergency Response Team) stated in an announcement about the attack that the perpetrators used Windows Active Directory (AD) to spread the ransomware, however, this statement is not confirmed (3).
If the attackers were able to compromise a system to gain Domain Admin access, the LockerGoga ransomware could have been propagated domain-wide using a forced GPO (Group Policy Object) update. What is certain is that there is no C2, DNS, or propagation methods used by the malware (as per available research) (4). LockerGoga can only be used as part of targeted attacks, as it must be deployed by an attacker who already has admin access.
Attackers can gain admin access to sites in a variety of ways. One common approach could be to procure remote desktop protocol credentials. Using RDP gives attackers remote access to an organisation’s network, which they may spend weeks or months studying and raiding for sensitive data, before finishing with a ransomware (5).
What does this mean for me? What should I do?
First, consider whether you have reasonable level of cyber hygiene. This includes taking actions such as:
- avoiding opening links or attachments from suspicious emails or senders
- continuously re-evaluating security practices
- being careful when connecting anything to your network, including third-party contractor’s laptops during maintenance or configuration activity and monitor their activity to ensure they do not introduce the threat in the network
- planning a backup strategy, should your network be compromised.
Because of the characteristics of this malware, it is difficult to catch it on the network through the usual means like Yara rules or signatures since several endpoint protection systems have failed to recognise it. The use of behavioral analysis techniques is crucial to identify precursor and attack activity to effectively mitigate any potential damage. In the case of LockerGoga, Forescout can identify several malicious activities and speed up incident response.
Our solution’s behavioural analysis engines automatically create an inventory of active network assets and cross-network flows, detect exploitation attempts and cyberattacks, and identify existing and emerging security threats in the network. In particular, the self-learning network analysis engine can detect unforeseen changes in the network communication behaviors, such as unforeseen connections or anomalous network logins, helping to detect the attack before it spreads.
A ransomware attack such as LockerGoga is traditionally an IT (information technology) event. The people who run industrial control systems (ICS) have not traditionally needed to address these types of IT problems. However, as plants become more interconnected, IT and ICS can no longer be looked at as two separate domains. As we have repeatedly seen, IT-focused malware such as WannaCry, EternalBlue, and now LockerGoga have increasingly caused impacts to OT networks. While Hydro says that they have been able to switch to manual operations, in many cases, a manufacturing plant, or any other ICS network, which is run using automated systems will not be able to be run as efficiently or as safely under manual operation. Since IT cyber events can negatively impact plant operations, it is important to have a security program which is holistically focused on the entire organisation, not just on IT networks or just on ICS networks. Device visibility is the first step towards developing an IT/OT converged cybersecurity program to enable rapid detection and response in case of an attack.
If you’re interested in learning more about how to successfully integrate your IT and ICS cybersecurity programs, and how improving your device visibility and control will enable you to reduce both IT malware andICS operational risks, you can watch our webinar on the impact of IT/OT convergence to your business.