Nordic companies targeted in wave of cyber attacks

Nordic companies are scaling up their IT network defences after a series of malicious cyber attacks, peaking in December 2021, against a number of the region’s largest industrial and service industry groups.

Vestas Wind Systems, Amedia, Nortura and Nordic Choice Hotels were among the corporate targets in this latest wave of cyber attacks, which materialised as Nordic governments were announcing increased spending on their national security apparatus to shore up cyber defence infrastructure.

The aggressive ransomware virus attack on the Oslo-headquartered Nordic Choice Hotels (NCH) in December disrupted the leisure company’s booking, payments platform and online check-in IT systems. The attack impacted IT networks and computer stations across NCH’s chain of 200 hotels in Norway, Sweden, Finland, Denmark and Lithuania.

The ransomware attack launched against Vestas Wind Systems (VWS) on 19 November affected the Danish company’s internal systems and resulted in a breach of personal data. The hackers not only succeeded in capturing data from compromised internal file share systems, but released personal information, including employment contracts, on the dark web.

“The threat actor failed in their attempt to extort Vestas,” said VWS CEO Henrik Andersen. “Unfortunately, the attackers did manage to steal data from Vestas, and that data has been illegally shared externally. To mitigate this situation, we are working hard to identify any leaked data and will collaborate with affected stakeholders and authorities.”

VWS collaborated with external cyber security partners to re-establish normal operations after the attack. Operating alongside its forensic probe into the cyber strike, the company also started to harden its IT systems and IT infrastructure to achieve a full restoration of all systems by mid-December.

“We were relieved the attack didn’t impact wind turbine operations, and most of our IT systems were up and running again soon after the attack. We still have a lot of work ahead of us. We need to remain extremely diligent towards cyber threats,” said Andersen.

“We were relieved the attack didn’t impact wind turbine operations, and most of our IT systems were up and running again soon after the attack. We still have a lot of work ahead of us. We need to remain extremely diligent towards cyber threats”

The virus attack against NCH, the Nordic region’s largest hotel and leisure group, was launched on 2 December. The hackers managed to paralyse, infect and encrypt an undisclosed number of machines, forcing NCH to accelerate the pace of a newly rolled-out project to convert more than 4,000 computers using Microsoft Windows to run on Google Chrome OS.

NCH’s technology unit, working with internal and external IT cyber security experts, managed to convert 2,000 computers to Chrome OS within 24 hours of the attack, enabling the company to maintain basic operations such as bookings, check-in and check-out, and payment solutions.

“We were already engaged with the pilot project to convert our Microsoft Windows computers to Google Chrome OS when the attack happened. We decided to re-focus resources to speed up the Chrome OS project, which is linked to our cost-efficiency and CO₂ reduction programmes. We were able to clean all machines of the virus and install Google’s CloudReady solution,” said Kari Anna Fiskvik, NCH’s vice-president of technology.

Obtaining forensics support from the Norwegian National Security Authority (Nasjonal Sikkerhetsmyndighet), NCH was able to identify the computer virus as the work of the so-called Conti ransomware group. Bjørn Arild Wisth, NCH’s deputy CEO, said the company took a decision not to contact or respond to any ransom demands. 

“Over the weekend of the attack, we managed to implement alternative solutions at most of our hotels. The aim was to return staff to normal operations, a goal we achieved within days of the cyber attack,” said Wisth. “Our forensic investigations do not reveal, currently, that data from the attack has been leaked, but we can’t rule it out.”

The Conti ransomware, which was first observed in 2020, is particularly aggressive towards all versions of Microsoft Windows. Having breached an IT system, the Conti virus will attempt to delete Volume Shadow Copies and terminate important services using Restart Manager to enable it to encrypt files. Conti is also purposed to uninstall the Windows Defender application on computers.

NCH estimates that its decision to change the software instead of the hardware on its IT network, which comprises 4,000 computer machines, will save the company around NOK60m (€6m).

The cyber strike against Nortura on 21 December forced the Norwegian meat processing company to shut down its entire IT system ahead of a forensics investigation and the cleansing of computers connected to the company’s central IT system.    

Nortura detected the attack at an early stage and was able to limit damage to its IT system by shutting down internet access, said CEO Anne Marit Panengstuen. The swift action prevented hackers from capturing data or encrypting operating system files.

“Cyber threats are becoming more common generally and we keep investing to protect our business against bad actors. We have good contingency plans, which were activated when we became aware of the attack,” said Panengstuen. “We also had an element of luck on our side as we had conducted an IT cyber security contingency exercise in 2021 that was based on a similar threat profile.”

“Cyber threats are becoming more common generally and we keep investing to protect our business against bad actors. We have good contingency plans, which were activated when we became aware of the attack”

Nortura’s standby cyber security protocols were employed to forensically establish if computers within the group’s IT system had been compromised. A full cleanse was carried out before the central IT system, which supports Nortura’s meat processing plants across Norway, was fully restored on 10 January 2022.

Amedia, the publishing house for 80 local newspapers in Norway, was targeted in a ransomware virus attack on 28 December. The attack forced the company to take its central computer system and production facilities offline. Although Amedia suspended publication of its print editions, the company continued to publish its newspapers online after a forensics analysis of the attack was conducted and the threat value to core operations receded.   

“This was a classic virus attack for ransom,” said Pål Nedregotten, Amedia’s head of data and technology. “The hackers sought to disrupt our capacity to publish and operate while trying to disable our advertising and subscription systems. We routinely implement comprehensive cyber security measures to limit damage from such attacks. These measures look to restore normal operations as quickly as possible. Problems arising from the attack were mainly limited to systems managed by our central IT company, Amedia Teknologi. Amedia’s other systems worked as normal.”

Hackers sought to capture personal data in Amedia’s subscription system, which contains the names, addresses, telephone numbers and subscription history of private and business subscribers. Other data, such as account login passwords, read history and bank card information, was not compromised in the attack, said Nedregotten.

“Investigations are continuing, but right now we have no information that personal data has been published or misused in any way,” added Nedregotten.