#1275967: Norsk Hydro ransomware attack: What happened & what we learned

Description: Norsk Hydro immediately shut off its WAN services, & switched the Industrial layer to manual mode. This indicates it probably did not have proper segmentation in place & feared network infection.

It’s been just over six months since the March 18 ransomware attack on Norwegian aluminum manufacturer, Norsk Hydro, costing it US$ 40 million (£33 million) - and counting - in lost production revenue. While not all of the details of the attack have been published, there are some lessons learned from the most likely attack scenarios based on what we know so far. Let’s go back to the beginning.

First, here’s a visual breakdown of the environment and breach, viewed in a lightboard video.

Norsk Hydro’s environment before the attack

Assuming, like any other industrial control network (according to the Purdue model), Norsk has three segments:

Industrial segment: The industrial or manufacturing segment, where the actual manufacturing processes and associated controls run. The OT systems - workstations, servers, etc that receive data from the control layers and send data to the IT systems in the layers above, are found here. The operational layer contains workstations, servers, and sends operational controls to the layers below.

Industrial demilitarised zone (DMZ): This zone separates the OT and IT layers. It typically has a web server (proxy server), an Active Directory (AD) server (domain controllers), and a database replication server.

Enterprise layer: The IT systems and business systems (ERP/SAP) are found here.


LockerGoga is a new variant malware designed for targeted attacks that first surfaced in January 2019. Initially, LockerGoga did not seem to have any network self-propagation capabilities. It was found to communicate over the network over port 445, which indicated attackers had to manually move from server to server within the network. Recent observations on the use of undocumented Windows APIs and WS2_32.dll processes for handling network connections by the malware indicate that network capabilities have been added to LockerGaga.

Norsk Hydro’s attack

In this attack, it seems to have been a combination of both Locker Goga, as well as a targeted attack against Norsk's AD Domain controller. There are several theories circulating around how the attack originated. The most likely are:

A phishing email received by an unsuspecting employee who opened it and the malware installed itself in the computer.

An open RDP server that the attacker was somehow able to compromise and install the executable on the server.

Once the initial LockerGoga infection happened, the executable was able to exploit the Active Directory (AD) server, and then compromise the rest of the network. This could have happened in a few ways:

Using mimikatz to dump credentials out from memory

Reading the Active Directory Group Policy Preferences XML, located in the SYSVOL folder of the domain controller

A Pass the Hash attack scenario to compromise the domain controller

The important thing is that the malware appears to have gained domain admin in the network, which would give the attackers the keys to the kingdom.

Once the executable was placed in a shared folder on the domain controller (where all the other servers and workstations have access), the attacker could have run a scheduled process, which compromised all of the workstations and servers under that domain controller. LockerGoga was able to change the administrator passwords, logging out all users and local admins, and it encrypted all files on the systems and servers. Employees were all locked out of their machines and access to servers using old credentials was not possible.

After the attack was discovered

Norsk Hydro immediately shut off its WAN services, and it switched the Industrial layer to manual mode. This decision indicates it probably did not have proper segmentation in place. It is unlikely that it would run all industrial processes manually unless it feared the infected servers or systems could connect to the rest of the network.

Lessons learned

So, what can we learn from this? Here are the key takeaways:

1. Have a "black box" in case the plane crashes.

In other words, Norsk Hydro didn’t have an accessible recording of everything that happened leading up to the attack. Once its machines and servers went off the grid, it lost the ability to see what had happened and what was still developing. It’s imperative to be able to quickly piece together information to reduce damage when an attack is successful.

2. Segmentation is not negotiable.

It's not unusual for industrial control systems to be "air gapped", or not connected to anything but themselves. It seems in this case the Active Directory server was "bridging" the air gap, meaning possible weaknesses or insider threats in the standard office computers resulted in the Active Directory being compromised, which led to access of the industrial control systems.

The ransomware enabled the changing of administrator passwords, and since everything was [probably] under the same domain—instead of a mix of network segmentation and separate administrated domains—the attack moved fast. In general, it would be wise for manufacturing companies to follow some best practices:

Operational Technology (OT) networks should be separated from corporate IT, as the latter remain connected to the internet and exposed to risk regularly.

While not a true security boundary, multiple active directory subdomains can be used to protect against many types of automated attacks.

Network segmentation should be used to prevent unwanted cross talk between locations and unrelated servers.

3. Keep systems updated

With factories around the globe, Norsk Hydro has extensive industrial control systems for its networks. It’s likely is was not running the same version of Windows across the board, and when you have older versions mixed in, it makes it much harder to regain control once under attack. It’s a challenge for any company to balance realistic maintenance with being secure, but the potential damage in the event of an attack is far worse without some precautions in place such as:

* Using an inventory/patch management software

* Subscribing to private Intel feeds

* Conducting continuous scanning, especially targeted scanning towards new vulnerabilities

* Regular engagement of red teams

* Having anomaly detection in layers of protection on both the network and endpoints

While we may not know every single detail about how these attacks happen, we know that when vulnerabilities exist, extensive damage can be done. It’s most important to have the tools in place to quickly spot an intrusion and isolate it before it becomes massively destructive.
More info: https://www.scmagazineuk.com/norsk-hydro-ransomware-attack-happened-learned/article/1594257

Date added Sept. 11, 2019, 5:24 p.m.
Source SC Magazine UK
  • LockerGoga Ransomware (Used In Altran Attack)
  • Norsk Hydro
  • Ransomware - Extortion etc. New Reports in