perm_phone_msgConsider your business risks? Chat With US

Hackers hit Norsk Hydro with ransomware. The company responded with transparency | Transform

Ransomware BCyber todayJanuary 26, 2020 28

share close

“We may be under attack,” said his IT colleague at Norsk Hydro, one of the world’s largest aluminum companies. Production lines had stopped at some of its 170 plants. Other facilities were switching from computer to manual operations.

After hanging up, Gimnes Are, corporate information security officer at Norsk Hydro, immediately phoned the company’s emergency preparedness chief to organize an urgent meeting later that morning.

At the emergency meeting, Norsk Hydro executives made three swift decisions: They would pay no ransom, they would summon Microsoft’s cybersecurity team to help restore operations and they would be fully open about the breach.

The case was designated “maximum severity,” says Jim Moeller, a DART member and a specialist in cyberattack response. He was dispatched to a small city near Budapest, Hungary, home to one of Norsk Hydro’s largest aluminum manufacturing plants. Production there was offline.

“They equipped it with a payload to install a Trojan software on the PC of the Hydro employee,” Gimnes Are says. “This Trojan software was discovered by our antivirus a few days later. But that was already too late. By then, the attacker had built an initial foothold in our system.”

“Once the attacker controlled the environment, they chose to deploy ransomware via a manual push from (Norsk Hydro’s) own domain controllers,” Moeller says.

But Norsk Hydro was not about to pay a single bitcoin to the hackers or negotiate to recover the locked files. Instead, they opted to restore their data through trusted back-up servers.

“What would you get from paying a ransom in such an attack?” Gimnes Are asks. “You will potentially get back your encrypted data – if the attacker gives you the key. Paying the ransom would not help you to rebuild the company infrastructure, all the servers, all the PCs, all the networks.

“Paying the ransom will not help you out of the situation. You will need to rebuild your infrastructure to be safe and be sure that the attacker is not still part of it,” he adds.

At Microsoft, Eric Doerr serves as general manager of the Microsoft Security Response Center, which protects customers from being harmed by security vulnerabilities in Microsoft’s products and services. The center also rapidly repulses attacks against the Microsoft Cloud. Doerr strongly promotes transparency among organizations that suffer cyberattacks.

“Norsk Hydro set the example for the industry in this incident,” Doerr says.

“Choosing not to pay the ransom and digging in with DART to evict the attacker is great. Sharing those learnings with the world is priceless. When companies do this, it makes us all better and makes the attackers work harder,” he adds.

Of course, some companies facing a ransomware attack may be highly tempted to pay bad actors to regain their hijacked data. But paying hackers doesn’t guarantee that a company will ever recover the goods, says Ann Johnson, Microsoft’s corporate vice president of cybersecurity solutions.

There’s a smarter way – following the plan executed by Norsk Hydro, says Johnson, whose team oversees DART.

“Your data is a strategic asset for you, and for cybercriminals. That’s why they want it. It is also why your data must be protected, and it should be backed up,” Johnson says.

At the same time, companies must invest in cybersecurity, she adds.

At Norsk Hydro, for example, the IT department works to increase security awareness among its employees, says Molland, the media relations SVP. That includes sending workers test emails to help train them to look for common phishing tactics like fake login pages and malicious attachments.

If companies fail to commit to cybersecurity, Johnson warns, bad actors will become repeat customers.

“You’ve likely seen signs that read, ‘Don’t feed the birds,’ when dining at an outdoor café. That’s because the birds will keep returning to the same places where they know it’s easy to be fed. It’s the same concept for cybercriminals,” Johnson says. “They know if you have weak cyber-defenses, and they will want to exploit those weaknesses over-and-over.

“The best defense is to ensure you have the right combination of people, processes and technology. We recommend you implement multifactor authentication, have a mature update process, and back up your data,” she adds.

Two Norsk Hydro workers work their way through the cyberattack using paper data.
At a Norsk Hydro extrusion plant in Norway, sales project manager Rune Johansen and extrusion anodizing fabrication manager Sten Stolpe dig through paper documentation to manually complete customer orders during the cyberattack.

In Hungary and Norway last March, DART members helped Norsk Hydro develop safe processes to restore their servers with an improved security posture. They also educated the company about the current threat landscape and known attacker behaviors to help reduce the risk of future attacks, Moeller says.

Inside Norsk Hydro, the internal response focused on multiple fronts. They launched old-school methods to resume full production and repair business operations. And they worked to protect the safety of employees and the environment.

“We operate heavy machinery. If the power is lost in an uncontrolled manner, it could risk severe safety incidents for people,” says Molland, the media relations SVP.

“Safety is always first priority with us. Secondly, it’s the concern for the environment and ensuring we don’t have any uncontrolled emissions (due to sudden machine stoppages) out to the air, land or water.”

Executives handwrote signs warning of the cyberattack, photographed them with their smart phones and texted the images to managers at Norsk Hydro plants and offices around the world. At those facilities, the staff used local printing shops to create paper signs, posting them on entryways, stairwells and elevators for employees to read as they arrived for the workday.

“Please do not connect any devices to the Hydro network. Do not turn on any devices connected to the Hydro network. Please disconnect devices from the Hydro network,” read some written alerts that also carried a simple signature: “Security.”

Two Norsk Hydro workers use pen and paper to restore production amid the cyberattack.
Two workers at a Norsk Hydro plant in Portland, Oregon manually operate machines to produce specific customer orders during the initial phase of the cyberattack.

The entire workforce did their jobs with pen and paper during the attack’s first days. Some plants switched to manual procedures to meet manufacturing orders. Retired employees – familiar with the old paper system – volunteered to return to their plants to keep production rolling.

“The way we pulled together to make the company come through the situation in one piece and get back into production has been an extreme team-building session,” Molland says.

“We have an organized emergency preparedness methodology within the company – in the corporate level, in the business area and at the plant level,” he adds. “That worked to our benefit. When this hit us, we were able to handle the situation in a constructive, organized manner.”

In other words, prevention is important but locking out all cyberattackers should not be a company’s sole security focus, says Jo De Vliegher, Norsk Hydro’s chief information officer.

“If hackers want to get in, they will get in,” De Vliegher says. “We now have an improved incident response to make sure that – should something similar happen – we are much better equipped to limit the damage in time and geography.”

Norsk Hydro reported the incident to Norway’s National Criminal Investigation Service (Kripos). The case remains under investigation, Molland says.

Video and photos courtesy of Norsk Hydro. 

This content was originally published here.

Written by: BCyber

Rate it
Previous post

Similar posts

Ransomware BCyber / October 19, 2020

Ad-light, Malware-heavy # Chris Dzombak

Ad-light, Malware-heavy Since December 17, Forbes has been running an experiment wherein some fraction of visitors who are running ad blockers are blocked from accessing Forbes articles until they disable their ad blocker. In exchange, Forbes promises an “ad-light experience”: A Forbes article published yesterday claims that this interstitial resulted in 42.4% of visitors turning ...

Read more trending_flat