Business Continuity Management / Disaster Recovery , Cybercrime , Endpoint Security

Hydro Hit by LockerGoga Ransomware via Active Directory

Targeted Crypto-Locking Malware Attack Follows French Firm Being Hit
Hydro Hit by LockerGoga Ransomware via Active Directory
LockerGoga ransom note. (Source: MalwareHunterTeam)

Aluminum giant Norsk Hydro has been hit by an attack that appears to have distributed ransomware to endpoints by using the company's own Active Directory services against it.

See Also: Gartner Guide for Digital Forensics and Incident Response

Security experts say the strain of ransomware used against Hydro, called LockerGoga, is used in highly targeted attacks and in January was used to extort a French engineering firm.

Oslo-based Hydro, which is Norway's second-largest employer, says the attack began Monday at a U.S. plant and spread to some of the other facilities it operates across 50 countries before being contained.

Let me be clear: The situation for Hydro is quite severe," the company's CFO, Eivind Kallevik, said in a Tuesday press conference.

In response, the firm says it's switched to manual processes in many factories, which has necessitated having many more employees working shifts in factories to maintain "safe and sound operations." In addition to plants in Norway, Reuters reports that some plants in Qatar and Brazil were also being operated manually (see Aluminum Giant Norsk Hydro Hit by Ransomware).

"The attackers at Altran and Hydro know what they are doing," says British security researcher Kevin Beaumont (@GossitheDog). "It's well organized extortion."

On Wednesday, Hydro said it is still creating a recovery plan and as yet has no solid timeline for when it might be able to restore all affected systems

"Hydro's technical team, with external support, has succeeded in detecting the root cause of the problems and is currently working to validate the plan and process to restart the company's IT systems in a safe and sound manner," Hydro said in a statement on Wednesday. "However, it is still not clear how long it might take restore stable IT operations."

"Let me be clear: The situation for Hydro is quite severe," Hydro CFO Eivind Kallevik told reporters at a Tuesday press briefing. But he emphasized that the company is planning to restore all affected systems from backups, rather than paying any ransom.

What Was 'Root Cause'?

David Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements, has called on Hydro to publicly detail the "root cause" of the attack as quickly as possible, to help safeguard other potential victims.

"If this root cause includes identification of the method used to introduce the malicious code - either through end-user device comprise or remote access to servers - it would be great for the wider community if Hydro could share this information at an early stage," Stubley tells Information Security Media Group. "By doing so, other organizations could take proactive steps to learn from this incident and avoid being subjected to similar attack."

Hydro's Response Earns Plaudits

Hydro aluminum plant in Commerce, Texas. (Photo: Michael Barera, Creative Commons)

Already, Hydro's response has been earning plaudits from security experts, who have noted that the company had a disaster recovery plan in place, including excellent public outreach and transparency.

"While Norsk Hydro have been badly impacted by this attack it is good to see that they have been able to continue their business operations, although at a lower rate," cybersecurity consultant Brian Honan, who heads Dublin-based BH Consulting as well as Ireland's first computer emergency response team, IRISSCERT, tells ISMG.

"This attack is a prime example as to why you need to include your cyber-incident response plans with your business continuity plan," he says. "In today's business world companies need to look at how to remain resilient in the event of a successful cyberattack."

Seeking Other Victims

Norway's Computer Emergency Response Team has issued a public request for other victims to come forward.

"NorCERT warns that Hydro is exposed to a LockerGoga attack. The attack was combined with an attack on Active Directory (AD)," it says in its alert, government-owned broadcaster NRK reports.

"NorCERT asks for information about others affected by similar events," it adds. "NorCERT assists Hydro and the incident is considered ongoing."

Norway's National Criminal Investigation Service, called Kripos, says it learned of the attack on Tuesday morning via the country's Joint Cyber Coordination Center, and has been assisting Hydro as well as liaising with the EU's law enforcement intelligence agency, Europol. While Norway is not part of the EU, it is part of the European Economic Area, and in 2001 the country signed an agreement with the EU that allows it to participate in Europol (see No-Deal Brexit Threatens British Crime Fighting).

Kripos says it recently created a dedicated group, called NC3, to investigate hacking and data breaches.

What Is LockerGoga?

Multiple security experts have said that LockerGoga was previously used against Paris-based Altran in January.

After it was hit, Altran said in a statement: "To protect our clients, employees and partners, we immediately shut down our IT network and all applications."

Following the attack, Bleeping Computer reported that LockerGogo was first discovered in the wild by the anti-ransomware researchers known as @MalwreHunterTeam.

Based on an analysis shared by the security researcher known as Valthek, BleepingComputer reported that LockerGogo's code was "sloppy, slow, and made no effort to evade detection."

MalwreHunterTeam on Tuesday reported that they'd found a new sample of LockerGogo that was uploaded to malware-identification service VirusTotal from a system in Oslo.

Targeted Extortion

Beaumont says LockerGogo is only used by attackers as part of one-off attacks.

"LockerGoga is only used in limited targeted attacks. It does not have a 'spreader,' it's not like WannaCry or NotPetya. It has to be deployed by an attacker who already has admin access," Beaumont said via Twitter.

Attackers can gain admin access to sites in a variety of ways. Security experts say one common approach is to purchase stolen or brute-forced remote desktop protocol credentials from cybercrime markets. Using RDP gives attackers remote access to an organization's network, which they may spend weeks or months studying and raiding for sensitive data, before finishing with a ransomware to try and further monetize their efforts (see Stolen RDP Credentials Live On After xDedic Takedown).

Stubley at 7 Elements says many attacks appear to involve one group raiding an organization for intellectual property, then selling access to less-skilled attackers who deploy ransomware.

On Wednesday, security researchers reported that the code underlying LockerGogo is not related to Ryuk, which is another type of ransomware that has also been used in targeted attacks (see 11 Takeaways: Targeted Ryuk Attacks Pummel Businesses).

Hydro Recovery Continues

Hydro's website remained unavailable on Tuesday. By Wednesday, it had been updated with a placeholder, suggesting that the company's IT department had at least regained control of those servers, if not yet restored the underlying systems.

In the interim, Hydro has been issuing updates via it Facebook page.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.