💰💣

Norsk Hydro Security Incident

March 19, 2019 2379 days ago Resolved

Incident Overview

Situation Description

Norsk Hydro experienced a crippling cyberattack involving the LockerGoga ransomware, which severely impacted its industrial and production systems.

Event Types

Ransomware Malware / Destructive Attack

Industry Sector

Manufacturing

Geographic Scope

National (Other)

Response Actions

Isolated Compromised Systems Took Systems or Services Offline Shared Threat Intelligence

Impact Analysis

Event Types (2 identified)

Ransomware Malware / Destructive Attack

Financial Impact

$0 USD

Records Affected

Data Types Compromised

Operational / System Data

Primary Impacts

Operational Disruption

Key Decisions Made

Norsk Hydro placed impacted industrial and production systems in manual operations mode to resume reduced operations.; Multiple Norwegian companies were targeted by the same entity responsible for the Hydro event, but thwarted attackers based on quick information sharing from Norsk Hydro with Norwegian authorities.; The LockerGoga ransomware variant used against Norsk Hydro had unique disruptive characteristics, potentially disabling network connectivity and forcing reboots after encryption.

Technical Analysis

Attack Method

Phishing

Threat Actor Attribution

LockerGoga FIN6

Vulnerability / Tool

Metasploit PowerShell Empire Cobalt Strike PSExec

Additional Information

Share This LinkedIn Twitter Facebook Email RSS This blog summarizes Principal Adversary Hunter Joe Slowik s whitepaper, Spyware Stealer Locker Wiper: LockerGoga Revisited. You can download the whitepaper here . LockerGoga ransomware severely impacted the Norwegian metals giant, Norsk Hydro, and provides a blueprint for malicious entities to weaponize ransomware variants for disruptive purposes. The Norsk Hydro event incorporated unique disruptive characteristics calling into question whether the attackers ever intended to decrypt systems after infection. Insufficient data exists to adequately disposition Norsk Hydro as a state-sponsored disruption event instead of a financially motivated criminal exercise. Ransomware has destructive capability, and repurposed ransomware may allow for nation-states to hide behind criminal activity and prevent victims from reporting incidents. LockerGoga first emerged in January 2019 with a ransomware event at French engineering company Altran Technologies. Instead of introducing a self-propagating file into the network, the Altran incident involved an extensive, interactive breach by an unknown entity leveraging publicly and commercially available tools, such as Metasploit, PowerShell Empire, Cobalt Strike, and PSExec, to move laterally through the network. LockerGoga encrypts all files outside Program Files and operating system directories. Attackers can hold an entire network hostage, negotiating for decryption of the entire victim space, rather than providing per-host decryption instructions through a set price and reference to a Bitcoin or related cryptocurrency wallet. Following events at Altran, there were no recorded or public sightings of LockerGoga until 19 March 2019 when Norwegian power and aluminum company, Norsk Hydro, faced a crippling cyberattack. Norsk Hydro was able to resume reduced operations by placing impacted industrial and production systems in manual operations mode. Reporting from the Norwegian CERT...

... (truncated for display)

Quick Facts

Company:: Norsk Hydro
Date:: March 19, 2019
Status:: Resolved
Decision Maker:: nan
Position:: nan
Published:: nan

Source Information

Original Query

Norsk Hydro official post-incident report LockerGoga recovery strategy

View Original Source

Timeline

Information Published

nan

Incident Occurred

March 19, 2019 (2379 days ago)

Status: Resolved

Estimated resolution based on age

Actions

View Company Profile

Navigation

Quick Stats