Aluminum giant Hydro hit by ransomware

Industrial Norwegian giant Hydro hit by ransomware — security incident analysis.

Aluminum giant Hydro hit by ransomware

During the last several years we have described multiple incidents with ransomware targeting organizations such as hospitals, municipal transit, or even government computers for an entire county. Then came the age of the wipers, with epidemics of WannaCry, ExPetr, and Bad Rabbit spreading through the world and ruining operations for numerous businesses.

Fortunately, we saw no events at that scale during the past 12 months, but that’s not because malefactors gave up. On March 19, Norwegian aluminum production giant Hydro announced that it was hit with ransomware that affected the whole company.

The attack on Hydro: What happened

Hydro’s security team first noticed some unusual activity on the company’s servers at midnight, the spokesperson for Hydro said during the press conference. They saw that the infection was spreading and tried to contain it. They succeeded only partially; by the time they isolated the plants, their global network was infected. Hydro didn’t comment on the number of computers affected, but with 35,000 people working for the company, that number is probably rather big.

Hydro’s team is working 24/7 to mitigate the incident, and they have achieved at least partial success. The power plants were not affected at all because they were isolated from the main network — which is a best practice for critical infrastructure. But the smelting plants were not isolated; during recent years they became significantly more automated than before. So some of the smelting plants located in Norway were hit, and the team managed to make some of them fully operational, although in a slower, semimanual mode. Still, as Hydro says, “lack of ability to connect to the production systems caused production challenges and temporary stoppage at several plants.”

Despite its very large scale, the attack didn’t destroy Hydro’s operations completely. Although Windows machines were encrypted and rendered useless, the phones and tablets not based on Windows continued to work, which gave employees the ability to communicate and respond to business needs. The expensive critical infrastructure such as baths for aluminum production, which cost about €10 million each, do not seem to have been affected by the attack. The security incident caused no safety problems — no people were harmed because of the attack. And Hydro actually hopes that everything that was affected can be restored from backups.

Analysis: Rights and wrongs

Hydro probably has a long way to go before restoring its operations completely, and even investigating the incident will take a lot more time and effort both from Hydro and from the Norwegian authorities. As of now, there is no consensus on what ransomware was used for the attack or who initiated it.

The authorities say they have multiple hypotheses. One of them is that Hydro was attacked by LockerGoga ransomware, which Bleeping Computer describes as “slow” (our analysts agree with that description) and “sloppy,” adding that it makes “no effort to evade detection.” The ransom note didn’t mention the exact sum that the malefactors wanted to decrypt the computers, but instead contained an address for the victims to contact.

Although analysis of the incident is not yet complete, we can already discuss what Hydro did right and wrong both before and during the incident.

Done right:

  1. The power plants were isolated from the main network, which is why they were not affected.
  2. The security team managed to isolate the smelting plants rather quickly, which allowed them to continue running (most in a semimanual mode).
  3. Employees could continue to communicate normally even after the incident, which means that the communication server was probably protected well enough and not affected by the infection.
  4. Hydro has backups that should enable it to restore the encrypted data and continue operations.
  5. Hydro has cyberinsurance that should cover some of the costs arising from the incident.

Done wrong:

  1. The network was probably not segmented properly, or else it would’ve been significantly easier to stop the ransomware from spreading and contain the attack.
  2. The security solution employed by Hydro was not robust enough to catch the ransomware (despite being relatively new, LockerGoga is well known, for example, to Kaspersky Security as Trojan-Ransom.Win32.Crypgen.afbf).
  3. The security solution could’ve been complemented with antiransomware software such as our free Kaspersky Anti-Ransomware Tool, which can be installed alongside other security solutions and is capable of protecting the system from all kinds of ransomware, miners, and some other nasties.