Aluminum producer switches to manual operations after ransomware infection

UPDATE: Cyber-attack identified as LockerGoga ransomware infection.

Aluminium metal

Norsk Hydro, one of the world's largest aluminium producers, revealed today that it "became victim of an extensive cyber-attack" that crippled some of its infrastructure and forced it to switch to manual operations in some smelting locations. The cyber-attack was later identified as an infection with the LockerGoga ransomware strain, the company said during a press conference.

News of the cyber-attack broke earlier this morning in a message the company sent to investors and stock exchanges.

"Hydro became victim of an extensive cyber-attack in the early hours of Tuesday (CET), impacting operations in several of the company's business areas," the company said. "IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible."

In a subsequent update posted on the company's Facebook page, Norsk Hydro said the cyber-attack did not impact "people safety" and that smelting plants across its vast international network were "running normally on isolated IT systems," although in a manual mode, without the aid of its computer controlled systems.

In a press conference that took place later in the afternoon, the company confirmed that the attack was caused by a ransomware infection. The company said the ransomware was planted on its network in late Monday evening, CET, and that its staff noticed the infection around midnight.

"Let me be clear! The situation for Hydro through this is quite severe. The entire worldwide network is down, affecting our production and our office operations," the company said during the press release. "There is a lack of ability to connect to production systems, causing some production challenges and temporary stoppages at several plants."

The company said it plans to restore impacted systems using backups.

According to Norwegian media, the country's Computer Emergency Response Team (CERT) is now warning all local companies about possible LockerGoga ransomware attacks.

The company's website was down all day, redirecting to a temporary page showing the same investor message. However, the company is expected to recover within the week.

Norsk Hydro website

Image: ZDNet

Norsk Hydro is one of the world's largest producers of aluminium with operations in over 50 countries on all continents.

The company operates out of Oslo, Norway, and is the second Norwegian company to suffer a major cyber-attack in the last year after Chinese hackers breached cloud service provider Visma.

Cyber-attacks on large industrial corporations tend to happen every few months. While in most cases these end up being mundane ransomware incidents, breaches, BEC financial scams, and spear-phishing events, sometimes things are far worse.

One of these examples is Saipem, an Italian industrial giant active on the oil and gas sector. Last December, Saipem;s name was plastered all over the internet after a new strain of the infamous Shamoon malware was found on its IT network during a cyber-security incident.

UK-based oilfield service provider Petrofac announced a similar cyber-security incident two weeks later, but the company never revealed if Shamoon was found on its network, to either ZDNet or cybersecurity industry insiders.

Article re-written based on new information the company provided during a press conference.

Related cyber-security coverage: