Norwegian aluminum producer Norsk Hydro was hit by a cyber attack which began Monday evening and escalated into the night.
The Norwegian National Security Authority (NSM) declined to comment on what type of attack it was but said the extent of the attack is still being assessed and that it’s too early to state how big it was.
“We are helping Norsk Hydro with the handling of the situation, and sharing this information with other sectors in Norway and with our international partners,” a spokeswoman for the agency told Reuters.
Tim Mackey, senior technical evangelist at Synopsys, said that he hopes Norsk Hydro details the attack methods and nature of the cyberattack they are experiencing. The shutting down of operations at their plants implies that those plants had control system access from the internet or from computers connected to the internet, he said.
“Minimally, this attack provides a lesson in the value of both network segmentation and ensuring that threat models are created, assuming the threat comes from an internal source,” Mackey said. “With increasingly sophisticated attacks, organizations must assume attackers could compromise internal systems as easily as they might attempt to breach a firewall into a production system.”
CyberX Vice President of Industrial Cybersecurity Phil Neray told SC Media manufacturing companies are an obvious target for ransomware because downtime is measured in millions of dollars per day – so CEOs are typically eager to pay up.
“Plus the security of industrial networks has been neglected for years, so malware spreads quickly from infected employee computers in a single office to manufacturing plants in all other countries,” Neray said. “These attacks are especially serious for metal or chemical manufacturers because of the risk of serious safety and environmental incidents, and the bottom-line impact from spoilage of in-process materials and clean-up costs.”
Kevin Stear, lead threat analyst at JASK, said he suspects that with Industrial Control Systems, and in the greater sphere of the Internet of Things, similar attacks are only going to become more common.
“We’ve seen a taste of this in last year’s scares in the U.S. energy sector, with attacks targeting Energy Transfer Partners, Oneok and Boardwalk Pipelines and more opportunistic attacks on commercial SOHO devices by the VPNFilter campaign,” Stear said.
“This is also representative of a larger and more ominous trend. ”
Stear added that what we’re seeing today is effectively the evolution of modern warfare and the rise of cyber power projection in the industrial-economic space.
Sam Curry, chief security officer at Cybereason, said it is too early to surmise if the Hydro breach will result in material losses for the company and their customers. “
“Years ago, ransomware came on the scene in a world with no protection like a disease in an exposed population,” Curry said. “Now we understand it, and the adversaries no longer use it for smash and grab campaigns but rather surgically and to cover their traces.”
Curry added that while most companies have contingencies and tools now that help with ransomware, they often only provide a false sense of security because most of the lack of recent ransomware outbreaks is due to the attackers using it differently, not because defenders are stopping it better.
Update: The attack has been revealed to be a LockerGoga ransomware attack.The infection started in the U.S. and spread to shut down the companies global network, Independent Researcher Kevin Beaumont tweeted.