Insights into the Norsk Hydro Cyberattack: Using AD in IT/OT Networks
Mar 25, 2019 | Radiflow team
One of the world’s biggest aluminum producers, multinational manufacturer Norsk Hydro, announced it had been hit by a ransomware attack of unknown origin, with hackers demanding a ransom.
The attack caused severe damage to the corporate network by disabling network communications on every computer, encrypting files and changing local user accounts to prevent recovery procedures. Norsk Hydro’s incident response team isolated part of the production facilities moved some plants to manual or semi-manual operations and brought external IT and cyber security experts in to assist in investigation and recovery operations.
The analysis of the malware pointed to a rare seen ransomware named LockerGoga which was previously reported as being used in attack on French global engineering and consulting firm Altran in February 2019.
Even though most of cyber security community agrees that the Norsk incident response process was conducted professionally, the attack definitely affected manufacturing activities and caused overall business interruption and operational loss that is yet to be determined.
As part of the incident response process Norsk informed Norway CERT which later mentioned that the attack on Hydro was combined with an attack against its Active Directory (AD). Also, LockerGoga malware which is reported to infect the Norsk Hydro network does not have the capability to spread in an automatic way so we can only wonder if some network built-in mechanism was exploited by the attackers. Although the exact incident details are still unclear, we will focus our analysis on this architectural issue.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.