(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-P9PC2DD'); Skip to content

Trending tags

Norsk Hydro: LockerGoga encrypts everything, F-Secure researchers say

Michael Sandelson

20.03.19 6 min. read

Cyber attacks against businesses continue to create headlines. The latest victim to be hit is a multinational Norwegian aluminum producer.

Norsk Hydro’s IT systems were subjected to what they called an ”extensive cyber-attack, impacting operations in several of the company’s business areas.” this week. Personnel arriving at their workplace were advised not to connect any of their devices to the company’s network, keep network devices that do turned off, and disconnect devices such as iPhones from it.

IT staff, Norway’s National Security Authority (NSM), military intelligence (e-tjenesten), and external cyber security partners started investigating the incident. All plants and operations were isolated, and staff switched to manual operations and procedures as far as possible. This was to “ensure safe operations and limit operational and financial impact”.

The root cause of the attack is said to be ransomware LockerGoga, which also reportedly hits Microsoft’s Active Directory (AD), developed for Windows domain networks. The atypical ransomware, which disables all network interfaces, disconnecting devices from the network, hits several PCs and servers simultaneously and asks for admin privileges.

After executing certain commands, it then immediately starts encrypting everything using Boost library and CryptoPP for encryption. It even encrypts exe/dll files in ProgramFiles, and breaks many things on infected machines – the exception is C:\Windows and subfolders. Encrypted files have the “.locked” extension, and LockerGoga makes explorer.exe crash during encryption.

F-Secure Labs Threat Researchers also say that the malware executes “net.exe” a couple of times to change user account passwords – the password is always set to “HuHuHUHoHo283283@dJD”, a hardcoded string in the executable. Finally, the malware logs the user out, and the user can log in again using this password.

LockerGoga is fully functioning without any network connection, drops a ransom note README_LOCKED.TXT on the “Public Desktop” folder (the Desktop files visible for all users), and the ransom note itself is rather standard – demanding payment in order to decrypt the files.

Tom Van de Wiele, principal security consultant at F-Secure, works with companies on improving their security posture. He thinks that it is important to look at who the potential threat actors could be, bearing in mind that ransomware was being used and knowing that the attack was launched on an industrial plant where its potential malfunctioning has national, or even political consequences.

“Ransomware usually indicates fast gratification and payout for a criminal and as such this attack could be dismissed as an opportunistic money-grab while trying to maximize one’s profit by hitting something critical. On the other side of the argument, ransomware can be used as an alibi or perfect storm for a more informed attacker i.e. a nation state that either wants to test the response capabilities of an organization or as a diversion,” he explains.

The manufacturing industry is one of cyber criminals’ preferred targets. 86% of cyber attacks in manufacturing are targeted. 66% feature hacking, only 34% malware. While almost half (47%) of breaches involve the theft of intellectual property to gain competitive advantage, 53% of the attacks are carried out by state-affiliated actors, and 35% by organized crime.

In addition, this sector has a number of technological challenges, with the convergence of IT (information technology) and OT (operations technology). Data needs to flow from all of the different legacy distributed control systems at the plants, which means increased connectivity between the corporate and the production networks is both needed and increasing.

Operational technology is different to traditional information technology, with the two worlds having different mindsets and priorities. Fewer backups in place and an increased dependency on fewer facilities mean that any disruption across the supply chain could have increased consequences. Consolidating operations can weaken business resilience and redundancy levels, and new single critical points of failure can arise.

Many legacy systems operating today were built decades ago before the Internet was in everyday use, so cyber security was not a realistic threat. As a result, transitioning these systems to the Internet has opened them up to attacks from a myriad of angles, because the security controls we take for granted today had never been built into those legacy protocols and systems in the first place.

Moreover, updates and security patching are also a difficult challenge – especially when a system needs to be “on” all the time, leaving little-to-no time for critical security improvements. Similarly, any system costing millions and designed to work for decades is not going to be readily discarded and replaced by a new one, even if it is deemed to be insecure.

In general, a supply chain attack targets an organization through a third party, a vendor, or a partner. Also known as a value-chain or a third-party attack, it is designed to infiltrate a company’s systems through vulnerable elements in their partner network. While the weakest link in a firm’s security chain may lie outside the organization, humans are those that attackers exploit most often. The most common infection vector is via spear phishing email. Methods criminals use to single out their targets include social engineering, with typical services being LinkedIn.

Principal F-Secure security consultant Tom Van de Wiele comments about the Norsk Hydro case that “we can probably assume that the entry point to what is now being described as ransomware could have come from different angles, as they are operating an industrial plant with what we can expect to be a good number of IT and other service providers.”

These could be an exposed internet-facing system that was found by accident or by a targeted attacker, where access was gained and the malware introduced to as many systems as possible. Another could be that the contractor introduced the malware on their network or some other entry point by picking it up from somewhere else or as a result of an opportunistic or a targeted attack. Thirdly, and most likely, someone at the company received an email with an attachment that was malicious.

Details about the first and third possible attack surfaces are still not complete. However, Tom thinks that when it comes to network segregation and making sure administrative networks are kept separate from production networks, something went wrong in making or maintaining that separation a reality. Alternatively, the attack was of such a profound size, that the attacker was able to travel from one network to another.

“Unfortunately with past incidents and having performed advisory and testing services, the former is usually the culprit,” he says.

It is not possible to quantify exactly when the next sophisticated exploit or vulnerability will be disclosed, but we can be sure that they will be quickly (within days or hours) weaponized for use in targeted attacks or unspecific campaigns.

Michael Sandelson

20.03.19 6 min. read

Leave a comment

Oops! There was an error posting your comment. Please try again.

Thanks for participating! Your comment will appear once it's approved.

Posting comment...

Your email address will not be published. Required fields are marked *

Related posts

Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.