zephyr_p - stock.adobe.com

Norsk Hydro confirms ransomware attack

A Norwegian aluminium producer has confirmed a ransomware attack is affecting several areas of its business, forcing it to switch to manual operations

One of the world’s largest aluminium producers Norsk Hydro has confirmed it has been hit by a ransomware attack, impacting operations in several business areas.

The attack in the early hours of 19 March 2019 impacted IT systems in “most business areas” company said in a statement issued to meet disclosure requirements of the Norwegian Securities Trading Act.

“Hydro is switching to manual operations as far as possible. Hydro is working to contain and neutralise the attack, but does not yet know the full extent of the situation,” the company said.

However, despite some “temporary stoppages” at some plants, most production plants are working normally by switching to manual operations used in the past, chief financial officer Eivind Kallevik told a news conference in Oslo. The attack has not resulted in any safety-related incidents, he added.

“The situation for Hydro through this is quite severe. The entire world wide network is down, affecting our production as well as our office operations.” However, he said tablet computers and phone systems were still functioning normally. 

While the company and the Norwegian national security authority were unwilling to confirm which type of ransomware had been used in the attack or say whether a ransom had been demanded, Kallevik said that having isolated the malware and all plants from the global network, Norsk Hydro was aiming to restore encrypted data from backups.

Kallevik, who is also leader of Norse Hydro’s corporate emergency team, said the company was committed to working around the clock to restore normal operations at plants using its “extensive IT competence” in its global IT organisation. These internal teams, he said were being supported by external expertise and the national security authority, which helping with threat analysis and coordinating national and international threat intelligence.

Read more about IT/OT convergence

The top priority, he said, was to ensure safe operations and find a practical way of removing the ransomware infection and restoring affected data from recent backups to resume normal operations. In the meantime, Kallevik said more staff had been drafted to carry out manual workarounds.

Kallevik said it was too early to say what the impact on the business will be or how soon affected systems will be restored, but the company was already working from backup data to ensure that immediate orders were being fulfilled, but said the extent to which this is possible varied from plant to plant.

Chris Morales, head of security analytics at security firm Vectra said that although the infection appears to have spread very quickly internally, Nork Hydro’s incident response process is commendable.

“The important thing here is that breaches happen, and for manufacturing and energy who are large adopters of industrial internet of things, ransomware has become an unfortunate problem that can easily knock a manufacturing or energy plant offline,” he said.

Norsk Hydro is not the first to suffer from a ransomware attack in the energy sector, and while it would be good for organisations to be able to detect and respond to attacks before they cause damage, Morales said many companies do not have that capability yet.

“In terms of incident response, it is good that Norsk Hydro executive management reached out to the public within 24 hours and have been open about their current state. Norsk Hydro had a backup plan to keep operating using manual processes. It is also fortunate that Norsk Hydro has backups of all their data to recover to their original state once they can recover from this attack,” he said.

Norsk Hydro’s operations across Europe and the US have been affected and investor concerns have been reflected in a 2.9% drop in the company’s share value, reports Reuters.

The cyber attack coincides with the recent appointment of a new chief executive officer to oversee operations from 8 May, according to Bloomberg.

Perhaps more significantly, the attack also coincides with the company’s efforts to restore production at its Alunorte plant in Brazil, amid claims of environmental damages by emissions of untreated water after flooding.

While Norsk Hydro has provided no details about the attack as it carries out its initial investigation and Kallevik said the identity of the attacker is still unknown, the claim of environmental damage in Brazil could indicate a motive, although this possibility was not raised at the news conference.


Cyber attacks have been used in the past to punish companies that have angered activist groups or to draw attention to a particular issue or cause.

Commonly known as hacktivists, these cyber attackers are typically individuals, but can also be groups that operate in coordinated efforts, such as Anonymous or LulzSec

The attack comes amid growing concern in the security industry around the vulnerability of operational technology (OT) to cyber attack in the light of increasing IT/OT convergence.

OT, commonly found in the manufacturing sector, is vulnerable to cyber attack mainly due to increased connectivity to the internet and corporate information technology (IT) systems for remote maintenance,  monitoring and analysis, despite the fact that most OT was not originally designed to be connected to external systems and lacks the necessary security controls.

In recent years, the spotlight has fallen particularly on security concerns around industrial control systems that form part of OT, particularly in manufacturing, oil, gas and power firms.

Almost 40% of industrial control systems (ICS), faced attacks in the second half of 2017, but industrial and energy firms are finding these systems difficult to secure, according to a report by Kaspersky Lab in August 2018.

Read more about ICS security

Understaffing, underinvestment and the human factor are the top three challenges to keeping industrial networks secure, the security firm’s State of industrial cybersecurity 2018 survey revealed.

“Whilst we have few details, it is clear from the reported production outages that Norsk Hydro are suffering impacts on their industrial systems, as a result of its IT systems being affected,” said Max Heinemeyer, director of threat hunting at British artificial intelligence (AI)-based cyber security firm Darktrace.

The widespread nature of the compromise, he said, points to a snowball-effect, where a systematic vulnerability can result in mass operational disruption as was seen with WannaCry.

“This news will serve as a wakeup call to the manufacturing industry. Production plants are digital jungles and industrial security can no longer be seen as separate to IT security.

“Defenders of industrial control systems need technologies like AI that allow them to gain visibility across their entire digital infrastructure and thwart threats emerging anywhere from traditional servers to smart monitoring systems.”

Read more on IT for manufacturing

Data Center
Data Management