Norsk Hydro hit by ransomware attack, had to run factories in manual.

[Mihle]

If you dont know, Norsk Hydro (Norweigan Hydro translated) is one of the worlds biggest aluminium producers, with 35 000 people in 40 countries. Its 34,26% owned by Norwegian Goverment.

Quote

On Tuesday, the Norwegian company Norsk Hydro reported that it's global IT systems had been hit with a strain of ransomware. "The situation for Hydro through this is quite severe," said company chief financial officer Eivind Kallevik in a press conference.

"The entire worldwide network is down, affecting our production as well as our office operations," he added.

-PCMag

The result is that they had to run factories in higher degree of manual operation, and ditch their worksations for smarphones and tablets, as they werent affected.

Quote

He added that digital systems at Hydro's main smelting plants were programmed to ensure machinery worked efficiently.

However, these systems had had to be turned off at some of the facilities.

-BBC

With manual, They actually just mean automatic communication between different places and factories to make it more efficent probably, because the PLCs and stuff was not affected.
That probably means those doing it did not aim or did not have the expertise to do more damage, they most likely just wanted to get some money.
They did choose to keep some of the (smaller) factories offline instead of running them in "manual" tho.

From what I can find, it affected their factories in US and Europe, but not those other countries.

Quote

Although Norsk Hydro didn't name the ransomware strain, local media has been reporting that the LockerGoga strain was responsible for the attack and may have spread over Microsoft's Active Directory software, which is available on the Windows Servers OS.

LockerGoga is a relatively new ransomware strain, but it may have been used to attack another company called Altran Technologies back in January. How the ransomware first infected Norsk Hydro isn't totally clear. But hackers can often launch the attacks via phishing emails or by exploiting a vulnerability in a company web server.

-PCMag

Their website also went down. 

The attack orginated in their systems in the US.
At this time, as far as I know, their systems and website is back up and running.
They did not pay the ransom, they where able to restore the systems from backups because "good backup systems and routines"
Norway's state cyber-security agency was/is helping them deal with it.

It is now under investigation by PST (Police Security Service), Kripos (National Criminal Investigation Service), E-tjenesten (intelligence Service) and Europool.

My Opinion.
I wish things like this wouldnt happen, but it does, thats the world we live in.
Its really good that they had good backup systems they used to restore the systems without paying the ransom, but maybe their systems, routines and teaching of employees wasnt good enough to stop it. (it would never be good enough for every possible situation, but still).
Maybe someone there opened the wrong email or whatever?

Edit: See Update marked as answer

Sources: (keep in mind that some of them was written yesterday when it was still ongoing)
https://www.pcmag.com/news/367274/ransomware-attack-disrupts-major-aluminum-producer
https://www.bbc.com/news/technology-47624207

(And Some Norwegian:)
https://www.digi.no/artikler/hydro-jobber-med-a-noytralisere-angrepet-bekrefter-at-pc-parken-er-slatt-ut-av-kryptovirus/460820
https://www.digi.no/artikler/pst-europol-kripos-nsm-og-e-tjenesten-jobber-pa-spreng-for-a-finne-de-skyldige-etter-hydro-angrepet/460859

[Shimejii]

Someone was on a site that they shouldnt have been, or they opened up the wrong set of emails. Gotta teach everyone about internet safety. There is very minimal chances this came from a direct attack vector, and injected into their systems, but it can be a possibility.

[Mihle]

2 minutes ago, Shimejii said:

Someone was on a site that they shouldnt have been, or they opened up the wrong set of emails. Gotta teach everyone about internet safety. There is very minimal chances this came from a direct attack vector, and injected into their systems, but it can be a possibility.

I think its more likely that someone opened the wrong email than going to the wrong website.

[brownninja97]

2 hours ago, Shimejii said:

Someone was on a site that they shouldnt have been, or they opened up the wrong set of emails. Gotta teach everyone about internet safety. There is very minimal chances this came from a direct attack vector, and injected into their systems, but it can be a possibility.

 

2 hours ago, Mihle said:

I think its more likely that someone opened the wrong email than going to the wrong website.

We have had a massive increase in dodgy emails coming through this year, based off what other people are saying on r/sysadmin it seems this is happening in many places. Seems like it was only a matter of time, people are just unfortunately quite unwilling to learn 

[williamcll]

You did think most of these computers should have antiviruses installed.

[lewdicrous]

11 hours ago, PrinceNorris said:

inb4 McDonald's gets attacked by WannaFry.

"Fix your ice cream machine or else."

[Mihle]

11 minutes ago, williamcll said:

You did think most of these computers should have antiviruses installed.

From what I did read one place, they did. But the ransomware was not detected because it was a new one that haven't been used that much (Seen first time in January). But don't quote me as I haven't seen a confirmation on that.

[mr moose]

This to means two things to me:

 

1. companies should be investing a little bit more in backups and malware mitigation.

2. It should be internationally illegal for any company to pay a ransom.   

[ZestyJalapeno]

2 hours ago, williamcll said:

You did think most of these computers should have antiviruses installed.

Lol, best case scenario here is a trial version of McAfee. Usually it's Windows Defender.

[leadeater]

1 hour ago, Dogeystyle said:

McAfee

Some would say that, and other AV software are much like Ransomware. At least the pre-installed trial nag ones .

 

The only thing worse is the in store sales people that push you to buy those expensive AV software bundles.

 

Side note: Very, very few AV software can actually do much about ransomware, new variants come out so quickly. The only ones that can look at file access behavior and cut off anything making sweeping modifications to files but keeping them in the same location. Funnily enough one of the best ones at that is Windows Defender, it's just not enabled by default. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard

[Mihle]

Update about this that came out Friday:

https://www.nrk.no/norge/slik-fungerer-losepengeviruset-som-rammet-hydro-1.14481782

 

I was wrong that the systems what up and running at the time I posted this thread. As of friday, their systems was still down (exept their website), but they know they can fix it from backup, they just want to do it in a controlled manner to make sure they dont do anything wrong, and also make sure it can be analyzed. So it takes time. Its probably also a lot of machines affected.

(I am probably quoting more than I usually would, but its in Norwegian, and because the news site is basically government owned and dont do adds anyway, it is probably fine, if not, just say it and I can edit)

Quote

So far, there seem to be no evidence that the virus has the ability to spread to other networks on its own, as the much-known virus WannaCry could.
 

The code in the virus had valid security certificates, which may cause the system to let it in. These are now withdrawn. It also does not use network traffic.
 

The virus should have a function that makes it "sleep" at least 100 times before it starts. It makes it harder to capture for programs that are supposed to detect such viruses.

So basically, no anti virus knew how to detect and stop it yet.
It was not designed to steal information

Quote

Rik Ferguson, who is vice president of the security department of Trend Micro, says he does not know about LockerGoga attacks against anyone other than Hydro and Altran.

Quote

- We are far from knowing where it comes from. There remains a lot of work, and tracking is always the hardest thing to do, he says.
 

Ferguson describes the virus as very precise. It requires access to an administrator account, which the hackers may have acquired in several ways. Typical procedures are emails with attachments or links that install the virus if the recipient opens them.

 

Quote

The attack on Hydro is combined with an attack on Active Directory, which is Microsoft's directory service for user and machine administration.

 

Quote

"The attackers know what they are doing. This is well organized extortion, ”Beaumont writes.

He also pointed out that the message from the hackers is very similar to the one that came with the Ryuk virus, although the viruses are different. The people behind this virus, according to Forbes, have been withdrawing $ 4 million in ransom.

The traces of Ryuk will point to Russia and former Soviet states, but one has not been able to identify the hackers.

That doesnt mean it have to be the same people, it can just been someone access to the code of Ryuk that took that and edited it, but who knows.

Some speculated in that the main goal was not to get Hydro to pay, but their stock price to be affected and earn money of it that way, but who knows. Hydro stock wasnt actually affected that much it could have been if Hydro was affected more...

I wish no one ever paid the ransom and had a system that made them not need to, but sadly thats not the case and probably will never become the case.

[mr moose]

On 3/21/2019 at 9:40 PM, leadeater said:

Some would say that, and other AV software are much like Ransomware. At least the pre-installed trial nag ones .

 

The only thing worse is the in store sales people that push you to buy those expensive AV software bundles.

 

Side note: Very, very few AV software can actually do much about ransomware, new variants come out so quickly. The only ones that can look at file access behavior and cut off anything making sweeping modifications to files but keeping them in the same location. Funnily enough one of the best ones at that is Windows Defender, it's just not enabled by default. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard

 

SHHHhhhh!!  if you go telling people an MS product actually has a feature that is good and not really available anywhere else,  you might cause someones panties to bunch up and cut of circulation to their nerd sack. 

[Sir Asvald]

I don't understand why large companies can't spend the extra cash to keep their businesses safe from these attacks. Spending $1M to keep your business safe from attackers will be a no brainer. But of course most directors/owner do not have a single clue when it comes to technology.

[Mihle]

47 minutes ago, Abdul201588 said:

I don't understand why large companies can't spend the extra cash to keep their businesses safe from these attacks. Spending $1M to keep your business safe from attackers will be a no brainer. But of course most directors/owner do not have a single clue when it comes to technology.

In this case, they did have a system for it, but it might just not be Ideal. No data is lost, systems have just been down for a few days....  The main method to defend against this is probably just teaching employees enough to not give away info/press the wrong email or not opening emails at all on the same network (but that might not be Ideal at all).

 

No antivirus would have helped in this situation from what people are saying.

 

What else could they have done? I am curious as I don't really know much about this.

[Sir Asvald]

29 minutes ago, Mihle said:

In this case, they did have a system for it, but it might just not be Ideal. No data is lost, systems have just been down for a few days....  The main method to defend against this is probably just teaching employees enough to not give away info/press the wrong email or not opening emails at all on the same network (but that might not be Ideal at all).

 

No antivirus would have helped in this situation from what people are saying.

 

What else could they have done? I am curious as I don't really know much about this.

They probably have a system, but it's probably old and outdated. As a Desktop/Networking Engineer, people will access their personal emails at work. You can't do anything about. Since there are no restrictions.  I've had cases where people open fake emails that slip through the spam filter, they open it and it's a virus. We have to disable their account. Take out the HDD/SSD wipe it, which takes so many hours. Then we have to access their emails to make sure nothing else was sent. It's a headache. 

 

The problem with teaching it costs a lot of money and time. I'm guessing if company can afford it, then they should it it.

 

To fix this is, it is no easy task, you need to take a big scope and see what other problems they face within their network. Ransomware is one of many things that can affect companies. As I mention they probably have a system, but it's probably old and outdated. For example, companies that deal with high level of security and sensitive information they need to be on the highest level of security. For example. Companies that issue SSL certificates such as DigiCert, Sectigo, Entrust and many more, they have to go through so many security and audit checks to make sure that nothing is broken. To get audited by big companies like KPMG, PWC. It costs in the tens of thousands if not more. They take Security VERY serious. It's a shame that companies just overlook the basics. Yes it does cost a lot of money, but why put your company at a risk if you're not careful. For example, talking about companies that issues SSL Certificate. Equifax had a MASSIVE data breach. Sources: https://www.thesslstore.com/blog/equifax-data-breach-total-data-lost-the-final-count/

https://www.thesslstore.com/blog/the-equifax-data-breach-went-undetected-for-76-days-because-of-an-expired-certificate/

Anyway they issued SSL certificates for their smart cards and other stuff. What happened, an SSL certificate has expired, they accessed the databases and stole MILLIONS of data.

 

They didn't take their security seriously and it cost them BIG TIME

[Mihle]

1 hour ago, Abdul201588 said:

They probably have a system, but it's probably old and outdated. As a Desktop/Networking Engineer, people will access their personal emails at work. You can't do anything about. Since there are no restrictions.  I've had cases where people open fake emails that slip through the spam filter, they open it and it's a virus. We have to disable their account. Take out the HDD/SSD wipe it, which takes so many hours. Then we have to access their emails to make sure nothing else was sent. It's a headache. 

 

The problem with teaching it costs a lot of money and time. I'm guessing if company can afford it, then they should it it.

 

To fix this is, it is no easy task, you need to take a big scope and see what other problems they face within their network. Ransomware is one of many things that can affect companies. As I mention they probably have a system, but it's probably old and outdated. For example, companies that deal with high level of security and sensitive information they need to be on the highest level of security. For example. Companies that issue SSL certificates such as DigiCert, Sectigo, Entrust and many more, they have to go through so many security and audit checks to make sure that nothing is broken. To get audited by big companies like KPMG, PWC. It costs in the tens of thousands if not more. They take Security VERY serious. It's a shame that companies just overlook the basics. Yes it does cost a lot of money, but why put your company at a risk if you're not careful. For example, talking about companies that issues SSL Certificate. Equifax had a MASSIVE data breach. Sources: https://www.thesslstore.com/blog/equifax-data-breach-total-data-lost-the-final-count/

https://www.thesslstore.com/blog/the-equifax-data-breach-went-undetected-for-76-days-because-of-an-expired-certificate/

Anyway they issued SSL certificates for their smart cards and other stuff. What happened, an SSL certificate has expired, they accessed the databases and stole MILLIONS of data.

 

They didn't take their security seriously and it cost them BIG TIME

In good news, Hydro doesn't deal business with private people, neither technical services to other companies. They just produce aluminium and parts of aluminium. 

 

How their system actually is and how it would have gone if it wasn't just a ransomware, we don't know, but at least they have an offline backup system, there is companies that don't even have that, that only have online backup.

[Sir Asvald]

5 minutes ago, Mihle said:

How their system actually is and how it would have gone if it wasn't just a ransomware, we don't know, but at least they have an offline backup system, there is companies that don't even have that, that only have online backup.

I do realise that they work with Aluminium, but the story is how they can't keep their network secure. What I mentioned is different. But the idea of having a large business, that does deal with other customers and business. Let's say that other information got taken, what then. It's sometimes difficult for companies to upgrade, as hardware just works. Or they systems in place are not doing the job correctly.