On Tuesday, it became public that Hydro had suffered from a major cyber security attack – probably the largest in Norwegian history. In this blog post, I will explain the background, what we know today and some lessons learned.
Hydro notified the public (due to the Norwegian Stock exchange rules) early on Tuesday that they first discovered network disruptions and experienced problems with some of the management systems during the night.
Hydro’s conclusion was that they were exposed to a computer attack. Currently, their website is still down for counting. At several of their factories, the operators must control production manually, and smaller plants are closed until further notice. Employees have been told not to turn on their computers or connect to the network.
Some background information:
The Norwegian authorities and Norwegian private industry do have a joint cooperation called “VDI” – “Warning system for Digital Infrastructure”. The National Security Authority (NSM) confirms that they were also informed about the attack. NSM have a specialized IDS located at each member of the VDI-group that run proprietary signature files as well as all commercial signature files as an “early warning for Cyber-attacks”. However, this system did not detect the upcoming zero-day attack, since the perpetrators first attacked sites and production plants in the USA where they lacked this IDS equipment. And it looks like the perpetrators were looking for backdoors into the production systems rather than the office systems.
However, the attack seems to have started with exploits of control systems that where connected to the internet. Mainly due to the fact that Hydro during the last couple of years have reduced the number of operational staff by automation and remotely management of control systems/ equipment over internet. My guess is that these systems were running on earlier versions of Windows (XP/Win7 etc) and did not have necessary security patching.
From these weak perimeter points in the internal network the attack has been two-edged:
A) Encryption Virus
An encryption virus called “LockerGoga” has been introduced that started to crawl the network for more units/servers/PCs to infect. This virus encrypt files and demands ransom. This virus is quite new (discovered 19th January this year) and probably morphed to avoid recognition in local firewalls and anti-virus programs. It has spread from the control systems to production systems like order and scheduling systems. And it has spread to different countries as well. So by Wednesday USA, Canada, Norway and several plants in Europe is affected. We are talking about forges plants, extruding plants and other plants that manufacture or makes products out of aluminum. We are also talking about production systems in the different countries as well.
B) Penetration of AD
At the same time an attack was made to penetrate Hydro AD to get access to users and passwords. Probably for later be presented at the Black Market sites on the Dark web where this kind of information is a commodity for sale. This is a kind of “brute force attack” that makes counter measures extremely difficult and drain resources and divert focus all the time. You need AD running to be able to provide counter measures for the encryption virus, but at the same time you need to minimize access to AD and access in general to reduce the attack and risk exposure for your AD.
What we know today:
According to the acting department director of the National Cyber Security Center in the National Security Authority, Bente Hoff; both PST, Kripos (both police units) and the Norway Intelligence Service are connected to the investigation together with NSM. That is nearly all national resources made available for a private company in this case. Only the military Cyber Defense Force is not engaged for the moment.
Hydro is managing to run their production plants by using manual routines and increase the number of employees on site.
Hydro are doing restore on all systems affected in the production environment, but this will take a long time completing.
And since they do not have the time schedules and production ordering systems up and running; some smaller plants in Norway have actually stopped their production.
Hydro has also engaged external specialists (and I guess they together with Hydro own personnel has started to look at access restrictions and securing weak perimeter points.)
Hydro will need a solution where they can still remotely run “Remote Desktop” on the control system equipment at the different plants if they will not permanently increase on-site operation personnel. (And this counter their goal for downsizing the operational employee work force to be cost effective).
Lesson to learn from this:
It is necessary to separate the “office environment” from the “production environment”, mainly because PCs and servers used as control systems do often give restrictions for security patching and OS updates due to the fact that this will often halt the production.
The need to place production systems on a separate VLAN with “Chinese walls” around it that can be monitored and where access to internet is reduced to a minimum is necessary to design and implement.
If necessary production personnel must be equipped with 2 PCs/Laptops. One that access the production environment and one that access the office network. The cost of these laptops are minimal in relation to the cost if something like the Hydro-case happens.
In the case of an attack at an IT Service Provider we must be certain that their backup/restore routines are efficient and effective.
In the case that your Company is not the target for the attack, but rather some other customer of the same IT Service Provider, we must be sure that they can separate our virtual server environment from those affected.
Jan Bjørnsen is a senior security advisor at Knowit Insight. He has extensive experience in development and management within IT Governance and control, IT Audit and continuity. Jan is also experienced in promoting and facilitating operational and organizational changes and improvements related to the establishment of security architectures and compliance with laws and regulations.