Norsk Hydro Credited With Quick Response to Cyber Attack Despite Unrelated Upheaval: RMS

April 9, 2019 by L.S. Howard

When Norsk Hydro, one of the world’s largest aluminum producers, was hit by a major cyber attack in the early hours of March 19, it was already undergoing a major upheaval: just the day before the attack, the company’s long-standing CEO of 10 years took early retirement and the new CEO wasn’t due to take up the reins until early May.

As a result of the management vacuum, Hydro’s press conference to announce the attack was led by the CFO, rather than the CEO, said catastrophe modeling firm RMS, which provided a commentary about the attack.

The CFO disclosed that IT systems in most Norsk Hydro business areas were affected, including the digital systems at its smelting plants, which required a move to manual operations at its smelting plants, while several metal extrusion plants had to be shut down, RMS recalled.

Three weeks later, production is nearly – but not quite – back to normal. Some operations are continuing to rely on a higher degree of manual operation. Its major Extruded Solutions business area continues to run at below full capacity, according to Norsk Hydro’s website, which was updated on April 5. Production in the three business units — Extrusion Europe, Extrusion North America and Precision Tubing — are currently running at approximately 90 percent while operations at its Building Systems unit are running at around 75 percent.

Despite such turmoil, the company handled the crisis quickly and effectively, said RMS, which provides insurance industry models, including for cyber and natural catastrophe events.

“One of the critical factors in cyber breach response and recovery is executive action, including public communications, accountability, and responsibility,” RMS said.

Hydro’s lack of a CEO at the time of the attack, “made it more difficult for Norsk Hydro to deal with the crisis, and may have been a factor in the timing of the attack,” said RMS in its emailed comments written by catastrophist Gordon Woo and Russell Thomas, principal modeler.

Nevertheless, Norsk Hydro quickly isolated its plants, “acting resiliently to avoid infection from one plant to another,” RMS affirmed.

LockerGoga Ransomware

RMS said the source of the infection was ransomware known as “LockerGoga,” which first appeared in January 2019, when the French engineering company, Altran Technologies, was hit by a cyber attack. Altran Technologies is a leader in automotive cyber security.

“Unlike WannaCry or NotPetya ransomware which self-replicate across networks and the internet, LockerGoga can only be used in limited targeted attacks,” said RMS, explaining that deployment of the ransomware is manual, and administrative privileges are needed for successful execution.

However, by exploiting the central active directory server, the ransomware was able to infect all Norsk Hydro’s workstations at the same time, RMS noted.

“With any cyber attack, there is much wider variability in loss outcome than for natural hazards because of the human dimension intrinsic to both attack and defense,” added RMS. “On the defensive security side, Norsk Hydro kept their networks and admin systems under one domain, but thankfully this did not include their industrial control systems (ICS) or their Microsoft Office servers, which are based in the cloud.”

The ransomware enabled administrator passwords to be changed, “and since most servers were under the same domain, the attack was able to spread much more rapidly than if there had been a mixture of network segmentation and separate administrated domains,” RMS noted in its comments.

No Ransom Paid

While Norsk Hydro did not pay a ransom, there was little chance that an infected company could fully restore their systems even if they did pay the ransom, said RMS, noting that there currently is no way to unlock or decrypt the systems and files encrypted by LockerGoga.

“So the primary objective of the hackers may not have been merely financial gain,” said RMS. “Possibly, there may have been an environmental protection motive associated with toxic river pollution in Brazil.”

RMS said this might explain the “relative lack of hacker tradecraft in the cyber weapon deployed.”

Given the limitation of LockerGoga, RMS affirmed that the insured loss outcome to Norsk Hydro might be much less than the US$40 million estimate.

“The insured loss outcome might have been very much larger if the attack had been perpetrated by Chinese state-sponsored hackers, intent on damaging the aluminum production capacity of a major competitor,” said RMS, pointing to the fact that 10 percent of the world’s aluminum capacity outside of China came from Hydro’s Alunorte refinery in Brazil.

A similar scenario could arise in the setting of a corporate transaction, such as a merger, acquisition, or partnership, where a cyber attack such as this could be used to temporarily damage one of the players and thereby affect the transaction price, RMS went on to explain.

Because LockerGoga has the capability for destructive erasure (also known as “wiping”), it could have caused severe damage to industrial control systems, if it had been able to gain network access. If it had become necessary to do an emergency shutdown of critical plant, this could have led to “a very costly recovery operation,” said RMS, noting that a such a cyber attack actually happened at a German steel mill in December 2014.

“Every notable event provides another building block for a catastrophe risk model,” said RMS. “The Norsk Hydro attack again raises the issue of hacker motive as an insurance loss qualifier, and a factor in grading relative target likelihood.”

Good Public Communications Essential

RMS praised Norsk Hydro for excellent public communications following the breach, which was especially notable given the fact that its long-standing CEO left the company at the same time. (The new president CEO, Hilde Merete Aasheim, is due to take up her post on May 8, 2019).

The CEO retired after the company admitted it had been responsible for a massive environmental spillage of bauxite residues at its Alunorte refinery in northeastern Brazil in February 2018, which has brought a 40 percent reduction in its share price over the past year, explained RMS.

“Many companies get into serious trouble when executives lie in public or otherwise push blame on to other parties. This can lead to severe regulatory fines and executive resignations.”

RMS said it was “very positive” that Hydro’s team responded “so well and fast, given the upheaval already going on.”

*This story appeared previously in our sister publication Insurance Journal.