Aluminium production giant Norsk Hydro have been forced into switching to manual operations following the impact of a severe ransomware attack on Monday evening.
News of the attack was released after an announcement was made to investors on Tuesday morning. Subsequent press releases have established that the attack was severe enough to bring down their “entire worldwide network”. It is not however believed that the attack posed any risk to “people safety” as the smelting plants were moved over to manual mode, disabling most computer assisted systems.
Norsk Hydro, who operate in 40 countries worldwide have called in National security authorities to help contain the situation and assess the damage extent. Whilst details are currently limited, it is known that employees were asked not to connect any devices to the network and that the initial indicator of compromise was suspicious activity identified by IT workers that moved rapidly across other areas of the business.
The prime theory of the root cause at this stage is LockerGoga, a form of ransomware recently discovered and made public by MalwareHunterTeam. LockerGoga like all ransomware encrypts files and demands payment for a decryption key, in this instance changing the file extension to .locked. Without the decryption key, the data is inaccessible.
Fast discovery and containment of the ransomware is crucial as it can move laterally around accessible network shares without the need of an outbound connection to a command and control centre. Samples of LockerGoga, which is also suspected as the root cause in the recent Altran cyber attack, were immediately uploaded to Virus-total. There is still a relatively low detection rate, but common anti-virus signature databases are slowly being updated to prevent the ransomware.
Common attack vectors for ransomware are often phishing, user browsing and vulnerable or weak publicly accessible services. Bridewell strongly recommend a combination of the following defensive controls:
- Automatically update anti-virus signatures within 24 hours of release
- Install the latest operating system or software patches within 7 days of release
- Ensure networks are adequately segregated to protect valuable systems from those exposed to the internet
- Implement appropriate web content filtering
- Implement strong user password policies
- Practice the principle of least user privilege and perform regular access control reviews
- Ensure public facing systems are protected from unauthorised access with multi-factor authentication
- Implement advanced threat protection controls to filter suspicious mail at the boundary
- Subject all employees to regular security awareness training with particular emphasis on teaching users to identify a potential phishing attempt
Written by Mike McGrath – Penetration Tester