back to article Ransomware drops the Lillehammer on Norsk Hydro: Aluminium giant forced into manual mode after systems scrambled

Norwegian power and metals giant Norsk Hydro is battling an extensive ransomware outbreak on its computers. The biz, one of the world’s biggest makers of aluminum with sites in 50 countries, said on Tuesday that file-scrambling malware had infected its IT systems in the US and Europe. This cyber-intrusion forced a shutdown of …

  1. Anonymous Coward
    Anonymous Coward

    Ransom

    > While so far there is no indication that Norsk Hydro has any plans to pay the ransom

    Depends on how afjordable it is.

    1. OssianScotland

      Re: Ransom

      They, at least, should be familiar with Danegeld - Kipling's version to be precise

    2. Gothmog

      Re: Ransom

      Don't mention this to Norsk Hydro, it's a very Thor point.

  2. Stu_The_Jock

    Now if they'd only had their servers all safely encased in the cellars of their 1940s factory outside Rjukan it would all have been OK, as even a fleet of 140 US bombers failed to reach into....

  3. steviebuk Silver badge

    What's the betting

    They cut costs in IT to save money? IT departments are always seen as unimportant for some reason. When nothing is happening they are accused of "Not being required. Everything runs fine and you never seem to be doing anything" or "we keep having outages since cutting your budget so we'll outsource you".

    1. bgng

      Re: What's the betting

      Hydro is already outsourced, no?

      1. herman

        Re: What's the betting

        "Hydro is already outsourced" - Well, outsourced and outdoor sourced, are not exactly the same thing.

  4. Korev Silver badge
    Coat

    Origin

    I almost hope it originated from North Korea, they we could have "Norks get Norsk"

    1. W.S.Gosset

      Re: Origin

      or even better if Norsk did nuclear

      then we'd have: "Norks get Norsk Nukes"

      massive bonus points if NK spokesperson of irrelevant gender had big breasts.

      "Norks' Norks: Norsk Nukes -- Swedish Chef implicated"

  5. sanmigueelbeer
    Happy

    Norsk Hydro has cyber insurance, he said.

    `tis alright, folks. Norsk Hydro is fully covered.

    Now let's see if the insurance company will pay up or will they find an "exemption".

    1. Anonymous Coward
      Anonymous Coward

      We already know the answer. I've never heard of "cyber insurance" paying out any real money. Anyone know of an example?

      1. sanmigueelbeer

        Anyone know of an example?

        Will will know in the next TheRegister installment of "To Pay or not to pay -- Insurance escapes (again) paying out Cyber Insurance claim".

      2. c1ue

        $90m paid out for Target.

        Many other examples; the industry overall has about a 70% loss ratio meaning 70 cents paid out for each dollar of premium paid in.

        Yes, there are lawsuits and lately the Zurich/Mondelez situation, but those are exceptions rather than rules.

        1. 0laf
          Mushroom

          I would thnk so. Ransomware is a pretty well established risk. Before the insurance pays out you need to have taken all reasonsable steps to avoid the incidnt in the first place. If they'd done that then almost certainly they wouldn't have an incident in the first place.

          Usual suspects -

          No money for training of staff on phishing or spotting other malware

          Basic AV only

          Internal network flat because reconfiguration would cause downtime

          Servers and desktops unpatched for the same reason

          No internal IT staff other than screwdriver techs

          Backups either unprotected so encrypted as well or non-functional because they've never been tested

          If any of that is the case they'll get fuck all money. Still not to worry it's still IT's fault somehow.

          1. Doctor Syntax Silver badge

            "Internal network flat because reconfiguration would cause downtime"

            And it would be so inconvenient to to be able to reach anything and everything from anywhere.

          2. Prst. V.Jeltz Silver badge

            "No money for training of staff on phishing or spotting other malware"

            should that really be a factor?

            we have 8000 totally I.T illterate doctors and nurses. busy ones.

            There is no way in hell one of the 8000 isnt going to click on a dodgy email, no matter how much training you force feed them.

          3. Trixr

            ...Legacy OSes running "critical" systems that cannot be patched, or require shitty SMB1 or shitty NTLMv1.

      3. Anonymous Coward
        Anonymous Coward

        Cyber insurance

        "Cyber insurance" sounds like premium quality snake oil. I assume that any payouts would be in some obscure and valueless blockchain currency?

        (Also, a pet peeve of mine: "cyber"-anything really does not mean what most people think the word means. It's one of those annoying stupid phrases from around 1995 that should really have gone away to "surf the web" long long ago, with an anchor (boat, not HTML) chained to its ankle...)

        1. Keven E

          Re: Cyber insurance

          How can we trust the data the actuary uses to determine risk and ultimately the price? <snicker>

  6. Anonymous Coward
    Anonymous Coward

    Obvious

    They need to store their bank accounts as "heavy money" :-)

  7. Doctor Syntax Silver badge

    Another company learns the hard way.

    1. Will Godfrey Silver badge
      Unhappy

      I'm not so sure they'll actually learn. Many don't

  8. Anonymous Coward
    Terminator

    Ransomware outbreak hits Norwegian ‘computers’

    Phil Neray .. told The Register that it was inevitable hackers would look to get ransomware onto networks at manufacturing and power giants, given how valuable system uptime is in those environments

    Then why not connect your valuable system environments using VPNs runing on read-only embedded hardware. If you don't know how to do that then maybe you're not tempermentally suitable for a career in IT.

    -------

    19.01.2019

    Cyber Attack Against the Hydro Network

    Please do not connect any devices to the Hydro Network. Do not turn on any devices connected to the Hydro Network.

    Please disconnect any device (Phone/Tablet etc.) from the Hydro Network.

    Await new update.

    - Security

    1. Anonymous Coward
      Anonymous Coward

      Re: Ransomware outbreak hits Norwegian ‘computers’

      "Then why not connect your valuable system environments using VPNs runing on read-only embedded hardware."

      What?

      Your embedded hardware will be logging data from the equipment, even if they're read only, they need to send information somewhere. And VPN's generally don't help as you will likely be in full control of your network - adding a VPN on top will just mean the virus/malware propagates via encrypted tunnels rather than directly over the wire within your buildings.

      Traditionally, good practice has been to fully isolate SCADA-type systems from office LAN's as they tend to receive less frequent patching (i.e. once or twice a year managed by the vendor) and often won't have AV installed due to either vendor recommendations or conflicts with fragile applications. As management of those systems is centralised or outsourced, the desire for more connectivity makes them harder to protect.

      Having said that, it sounds like the SCADA-type systems aren't affected but have been isolated as a precaution. Based on previous organisations experiences with ransomware, if you aren't patched against the vulnerability it uses to spread, your only hope is shutting down the network until you have a solid plan for containment and rebuilding. And that solid plan better include isolation of any networks that you're unsure of - something that is often easier said than done when management of the devices is off-site.

      1. bungle42

        Re: Ransomware outbreak hits Norwegian ‘computers’

        "Traditionally, good practice has been to fully isolate SCADA-type systems from office LAN's as they tend to receive less frequent patching (i.e. once or twice a year managed by the vendor) and often won't have AV installed due to either vendor recommendations or conflicts with fragile applications."

        This may have been the case in the past but these days many departments within an organisation need access to data from the process control systems for their day-to-day duties. I work for a large automation supplier where the typical system architecture consists of various layers (Plant/Process Control/Operator HMI/Servers/DMZ/Business LAN) separated by firewalls. Most modern control systems (rightly or wrongly) are windows based these days so there is a server that regularly rolls out Hotfixes, Windows Updates, and Virus Definitions.

        A few specific examples of how the control system data is used are: Maintenance can interrogate or even re-calibrate field instruments from a workstation in the maintenance shop; Accounts can review tank inventories in real time; Process Engineers can optimise plant performance by reviewing data from the history servers; Corporate can compare production rates in real time between different plants all over the world.

        Isolating a SCADA or Process Control System might seem like a good idea but even an air-gapped system can be susceptible e.g. as in the Stuxnet virus that could be introduced via a USB thumb drive.

        1. Doctor Syntax Silver badge

          Re: Ransomware outbreak hits Norwegian ‘computers’

          At least am air-gapped system only has an intermittent and narrow channel to the rest if it's managed properly. That should exclude plugging in USB drives that haven't been checked, let alone plugging in the thumb drive you found lying in the car park. It would help to use more than one operating system, even if it's just on one extra box that you use for relaying between the two worlds.

        2. Stevie

          Re: Ransomware outbreak hits Norwegian ‘computers’

          This may have been the case in the past but these days many departments within an organisation need access to data from the process control systems for their day-to-day duties.

          Eee, it meks y' wunder 'ow we did it before we filled t' place wi' computers, dunnit?

          1. bungle42

            Re: Ransomware outbreak hits Norwegian ‘computers’

            Totally agree but that's the connected world we now live in.

            You could air-gap your home PC to protect yourself from online threats but that kind of makes surfing the web a little difficult.

            Responsible home users can keep their software and AV up to date.

            Because of the greater attack surface, responsible businesses have to take this to a whole new level https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

            1. Stevie

              Re: Ransomware outbreak hits Norwegian ‘computers’

              We aren't talking about home users or desktops, we are talking about control servers for vital national infrastructure.

              I see no problem with airgapping such equipment, enabling one-way push to VERY locked down reporting servers for the shiny-brigade and requiring someone be on site to push in the moderator rods with their own fair hands (suitably gloved).

        3. Anonymous Coward
          Gimp

          Re: Ransomware outbreak hits Norwegian ‘computers’

          "as they tend to receive less frequent patching"

          I know of a Windows 98 machine running in production. On the bright side, that machine shits itself if you try and put a default gateway on it and it forgets how to control the machine.

  9. whitepines

    insecure by design

    How much do you want to bet they were using Windows 7 / 10 on Intel systems?

    That's like building a city in the middle ages to encourage rat population growth. Dumb dumb dumb.

    1. Yet Another Anonymous coward Silver badge

      Re: insecure by design

      >How much do you want to bet they were using Windows 7 / 10 on Intel systems?

      Instead of Norsk Data

      Actually they might be, we had real time control systems in the late 90s running on Norsk data mini computers - with no plans to replace them.

      1. Phil O'Sophical Silver badge

        Re: insecure by design

        we had real time control systems in the late 90s running on Norsk data mini computers

        Under Sintran? (shudder)

        1. Anonymous Coward
          Anonymous Coward

          Re: insecure by design

          Ah, I didn't know the web was invented on a Nord-10, that's a nice little nugget of info.

        2. Yet Another Anonymous coward Silver badge

          Re: insecure by design

          Fortunately didn't have to do the Nord end, but I built a wire wrap PC board to send detector events to it with 1us latency - not sure how I would do that on 'modern' hardware

  10. Maelstorm Bronze badge
    Boffin

    Industrial Network Security...or lack of....

    Ever since Shodan came along, we will be seeing more of this in industrial settings. The big issue is the industrial controls that control material handling, processing, and manufacturing. These systems/networks MUST be air gapped (although that is not full proof as we have seen with the Stuxnet worm) to increase the difficulty level of performing a breach to very difficult to impossible for hackers, crackers, and state sponsored actors. Additionally, epoxy the USB ports and disconnect the optical drives so that nobody can slip something onto the network (not fool proof, but it does help).

    Air gaped networks force an intruder to perform a up-front intrusion (they have to be on site). Physical security is another matter though.

    1. Duncan Macdonald

      Re: Industrial Network Security...or lack of....

      They MUST be air-gapped - however the execs often demand network connection as when things are going well they can make a bit more profit by having faster response to changes - then they lose all that profit (and more) when things like this happen.

      Having the control networks connected to the internet is like making more profit on ships by not having enough lifeboats (as on the Titanic).

      1. Prst. V.Jeltz Silver badge

        Re: Industrial Network Security...or lack of....

        "Having the control networks connected to the internet is like making more profit on ships by not having enough lifeboats (as on the Titanic)."

        although correct thats the weakest analogy i've ever heard, the only thing the 2 have in common is "its a bad idea"

        I'd have gone with:

        "Having the control networks connected to the internet is like leaving your car permanently unlocked so your friends and family can easily access it."

  11. Pascal Monett Silver badge

    Looks like they will finally decide to allocate some budget to IT security now

    And, with a truckload of luck, some other heavy-industry companies will take this as a heads-up and start moving their ass on the subject as well.

    Yeah, it's gonna cost money. The only question is, are you going to pay that money before the enforced shutdown and cleanup, or after ?

    1. Doctor Syntax Silver badge

      Re: Looks like they will finally decide to allocate some budget to IT security now

      "The only question is, are you going to pay that money before the enforced shutdown and cleanup, or after ?"

      It's always easier to find the money after.

    2. John Brown (no body) Silver badge

      Re: Looks like they will finally decide to allocate some budget to IT security now

      "And, with a truckload of luck, some other heavy-industry companies will take this as a heads-up and start moving their ass on the subject as well."

      You think? How many took onboard what happened to Maersk?

  12. Locky
    Mushroom

    The slightly updated adage is still true

    There are two types of companies. Those who back up and test their files, and those who haven't experienced losing all their data to ransomware.

  13. Anonymous South African Coward Bronze badge

    Can we ransomware Skynet?

  14. Anonymous Coward
    Anonymous Coward

    DRP

    Where is their DRP ?

    1. A.P. Veening Silver badge

      Re: DRP

      The documents for the Disaster Recovery Plan were the first to be encrypted by ransomware.

  15. Christian Berger

    *Nelson* Ha Ha...

    I mean seriously, to be hit with Ransomware and to have that an effect on your production systems you must have been violating "best practices" a _LOT_.

    It's not like such a thing or the cheap mitigations against it are new. Simply splitting your network and limiting what your clients have access to can bring a lot of additional security while only costing a few Euros per department.

    If I was in the IT department of that company, I'd quickly try my best to fake notes I sent upstream to warn about this.

  16. Anonymous Coward
    Anonymous Coward

    All the best to the team in Grevenbroich

    I hope the ransomware didn't get to the planning systems.

    Your Irish friend from 18 years ago.

  17. Casca Silver badge

    Has no one heard of applocker?

  18. Martin hepworth

    IR response

    was awesome

    they had PR out in a few hours including notice to the local stock exchange

    regular updates from a dedicated press room via trained folks

    How much of this could we do?

  19. Stevie

    Bah!

    Air gap for the win.

    Why anyone would have persistent internet connections to control infrastructure is a mystery to me. Hack waiting to happen.

  20. PrivateCitizen
    Facepalm

    Ransomware

    I cant see any indication that this was a wormable version of ransomware, so if they have had 000s of devices infected (rather than just the fileshares between the devices encrypted) then it implies they've been hit by a massive phishing campaign, failed to filter their email and been hammered for it.

    Realistically, if they'd met the almost joke-like standards of Cyber Essentials, they'd probably have been ok.

  21. Death_Ninja

    Not a worm...

    LockerGoga is not a worm.

    Norsk was hit by someone sh1t bombing their systems with it - possibly using AD logon scripts and/or their own patching system.

    Unlikely to be mass emailing, but they were targeted by someone...

    So its either an inside job or network penetration - both possible!

  22. Anonymous Coward
    Anonymous Coward

    Fujitsu dropped the ball?

    As part of the company’s digitalization strategy, security is a major focus for Hydro. In order to minimize risks to Hydro’s data and infrastructure, the Fujitsu Computer Security Incident Response Team (CSIRT) will provide global monitoring and response services to identify and stop security incidents around the clock. The services delivered by Fujitsu will include Security Information and Event Management (SIEM), vulnerability scanning, threat intelligence, and incident management.

    http://www.fujitsu.com/fts/about/resources/news/press-releases/2017/emeai-20170120-fujitsu-to-provide-security-solutions-to.html

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like