Norsk Hydro urges caution as it counts cost of cyber attack

Initial estimates put the financial impact of Norsk Hydro’s ransomware attack in March at around $41m, but latest estimates put the cost at between $45.6m and $51.3m.

The company has issued a warning to partners that malicious actors could contact them pretending to represent the aluminium producer.

“This may be an attempt to spread the virus further or deceive our customers, suppliers or other partners,” the company said in a warning on its website.

“We therefore ask our partners to show extra caution when receiving emails from Hydro during this period. For instance, please note that Hydro is not under any circumstances asking our partners to change bank accounts. Anyone who is in doubt about the credibility of an email from Hydro should call the sender to verify,” the warning said.

The Norwegian National Security Authority (NSM), which was alerted to the attack, identified the ransomware involved as LockerGoga, which was linked to an attack on French engineering consultancy Altran Technologies in January.

LockerGoga is able to encrypt 19 common file types, including files with extensions such as .doc, .dot, .docx, .xlm, .ppt, .pps and .pdf, and once done, all targeted files are encrypted with the extension .locked, according to Nozomi Networks Labs, which has analysed the ransomware.

In a market update for the first quarter of 2019, the company said its overall production volumes in the first quarter fell from the same period last year, in part due to the cyber attack that caused production challenges, predominantly in Extruded Solutions.

“The cyber attack that hit us on 19 March has affected our entire global organisation, with Extruded Solutions having suffered the most significant operational challenges and financial losses," said president and CEO Svein Richard Brandtzæg.

He said the overall financial impact of the cyber attack is estimated at NOK 400-450 million in the first quarter, adding that the company has a robust cyber insurance in place with recognised insurers. However, Brandtzæg did not spell out what that meant or provide any further details.

On 12 April, the company announced that it would postpone its complete first quarter report to 5 June because of the cyber attack. The full financial impact of the cyber attack, and potentially the mitigation effect of the insurance, will be reflected in the full financial results for the quarter.

Preliminary data shows that external sales volumes in Extruded Solutions fell to 333,000 tonnes in the first quarter compared with 362,000 tonnes in the same period last year.

However, the company said: “Extruded Solutions is focusing on its value over volume strategy, and had planned for the current quarter volumes somewhat below the same quarter last year before the cyber attack, which further reduced actual volumes.”

Hydro’s other business areas – Bauxite & Alumina, Primary Metal, Rolled Products and Energy – the company said, have been able to produce “close to normal” despite the attack, although this required “work-intensive workarounds and manual procedures”.

Norsk Hydro has been widely praised for its response to the ransomware attack. In announcing the attack, the company said that it would not pay any ransom and would work to restore operations using backed up data and switching to manual operations.

This underlined the importance of having good backups to enable companies to recover from ransomware attacks and other IT system failures.

The company has also been praised for its transparency about the attack and frequent updates, including regular media conferences in the wake of the attack.