In March of this year the global operations of Norsk Hydro, a renewable energy company and one of the world’s biggest aluminum producers, were disrupted after an apparent systemic infection from the ransomware LockerGoga. The attack forced production to be halted on March 19, 2019; manual production resumed within a week for some portions of the company, but others took even longer to become manually operational.
Due to this incident the company delayed their first quarter earnings reports by about five weeks as they worked toward full remediation. Their Q1 reporting indicates aluminum production volume was reduced by about 30,000 metric tons. While the breakdown among production loss, investigative/remediation costs, and brand impact is not available, the financial impact was likely close to USD 50 million.
There are four key takeaways to be aware of:
1. Infrastructure
There are ~160 separate subnets (subnetworks—logical partitions of an IP network) associated with Norsk Hydro’s network infrastructure. This in itself is not a bad thing, as the service providers and locations associated with these subnets vary in accordance with known company locations. The potential complexity of an environment like this, however, is something to be aware of.
Such complexity requires users to demonstrate highly competent care and diligence to ensure that protection mechanisms, data transfers, data storage, and asset inventories are properly used and maintained. This technical assessment cannot ascertain if the proper skill sets were in place at Norsk Hydro, but this is something an underwriter should pay attention to when determining whether a prospect falls within their organization’s risk appetite.
2. Network Devices
There were 140 different operating systems observed within Norsk Hydro’s network, among them PlayStation and Windows 98. This finding is alarming in severity. Not only are some of these systems well past end of support and life but the list of published exploits is also extensive.
This wide array of vulnerable systems indicates a lack of change control, poorly centralized management, or inadequate device monitoring enterprise-wide. Within this environment it would be extremely difficult to protect corporate assets or create a device inventory. It would also be close to impossible to establish organizational baselines both for device monitoring and remediation purposes.
3. Vulnerabilities
There were dozens of active vulnerabilities identified within the Norsk Hydro infrastructure. These ranged from low-rated informational CVEs (Common Vulnerabilities and Exposures) up to vulnerabilities 10/10 in severity and dating back as far as 2010. An active infection was observed, for example, communicating out to a known C2 (command and control server); seeing active malicious outbound interactions indicates with an extremely high level of confidence in a compromise.
4. Compromised accounts
More than 8,700 unique credential counts from Norsk Hydro were found when we searched the dark web. Obviously, to find 1-10 compromised credentials is undesirable—but 8,700 from an organization that has, according to its website, 35,000 global employees—is extremely serious. This means that the credentials of up to 24.8% of the company’s total workforce were compromised. This indicates a systemic problem that could be long term, or that a domain controller had been compromised—or both.
Sadly, all it would take is for just one set of the compromised credentials to be accurate for the above corporate system that gives external login access to create another compromise. With a quarter of employees’ credentials compromised, the odds favor the attacker.
Own the Risk
The higher the count of vulnerabilities present within an organization and the greater their severity, the higher the potential frequency and impact of compromises that organization is at risk of experiencing. Whether the vulnerabilities found at Norsk Hydro are the result of a shortage in skill set, personnel, or some other reason, it is clear this organization was not properly maintaining its infrastructure to mitigate risk. Knowing what you do now, would you be comfortable putting a similar risk on your books?
