“LockerGoga” attacked the company Hits Norsk Hydro
Norsk Hydro, a leading European aluminum manufacturing company operating in over 50 countries, was attacked by the LockerGoga ransomware on March 18, 2019. The attack was so extensive that Norsk Hydro’s CFO, Eivind Kallevik, stated: “Our IT network worldwide is down; this has affected both our production and operational activities.” As a result, production was halted at several plants for a short period. Fortunately, the losses in production were minimal.
How does LockerGoga work?
It is important to remember that the attack vector is currently unknown. It is possible that someone logged in using stolen administrative credentials or that access to the network was gained by exploiting a security vulnerability. Although the second possibility may seem unlikely (as LockerGoga itself does not typically exploit vulnerabilities), there is still a chance that an open security flaw was leveraged by another exploit. Until the initial point of infection within the network is determined, it is crucial not to rule out any potential attack vector.
How did LockerGoga spread through Norsk Hydro?
The LockerGoga attack on Norsk Hydro began in one of their U.S. facilities, and the ransomware spread through Norsk’s Active Directory. Active Directory is a Microsoft service used to manage computers and network devices, allowing network administrators to create and manage domains, users, and objects. If someone gains control over an organization’s Active Directory, they essentially have control over the entire network.
LockerGoga was then propagated to other Norsk Hydro branches, affecting global production and office operations. Once the attack was identified and contained, all employees were alerted—an image was displayed at the headquarters warning staff not to connect devices to the network.
As of the time of this post (original post date is March 22), Norsk Hydro is still working on its recovery plan, but it seems they are attempting to use backups instead of paying the ransom to decrypt the original files. They have not yet established a clear timeline for when they might resume normal operations and return to full operational readiness. In the meantime, manual processes are in place.
LockerGoga – a larger trend
Although this attack did not exclusively target Norsk Hydro’s OT systems, the fact that traditional IT attack tactics, such as ransomware, are affecting OT environments should be concerning. The Norsk Hydro attack is just the latest example of the growing trend of cyberattacks on OT systems:
- The same LockerGoga ransomware was linked to an attack on the French technology consulting group Altran Technologies earlier this year.
- Additionally, in 2018, the exploitation of a vulnerability by the OmniRAT malware was the cause of an attack on companies associated with Kuwait Oil Company in the Middle East, likely involving extensive OT networks due to their role in the energy sector.
- Just before the New Year, a threat called “Shamoon” once again made its presence known, wiping hundreds of hard drives of the oil giant Saipem.
What should companies whose business relies on OT networks do?
To protect an OT network from the growing threat, organizations must first have good visibility into their OT environments in terms of access and the existing risks. Additionally, they should understand how the OT environment is connected to the IT environment. To achieve full visibility, organizations should:
- Understand the concept of network segmentation and implement it to isolate critical resources and those vulnerable to attacks.
- Evaluate and prioritize identified vulnerabilities, particularly those for which “exploits” (ways to exploit system flaws) exist. This will help limit the spread and activation of threats like LockerGoga.
- Identify other security weaknesses such as excessive access or configuration issues with network devices.
Source: skyboxsecurity.com
