NHYDY Norsk Hydro ASA (QX)

By Catherine Stupp 

This article is being republished as part of our daily reproduction of WSJ.com articles that also appeared in the U.S. print edition of The Wall Street Journal (April 11, 2019).

Norwegian aluminum and energy company Norsk Hydro ASA confirmed that hackers used a relatively new form of ransomware known as LockerGoga in a March 19 cyberattack that crippled the company's global operations.

Norsk Hydro's cybersecurity analysts found six strains of the LockerGoga virus in their systems, said Jo De Vliegher, chief information officer, in an interview. It is the first time Norsk Hydro named LockerGoga as the virus that infected its facilities and forced several of its business units to switch to some manual operations. Norway's National Security Authority also has been investigating the attack and said previously it identified LockerGoga.

"It really hits everybody like a tsunami. It's not an IT crisis. It's the complete business that is temporarily paralyzed," Mr. De Vliegher said. "Everybody needs to find plan B's and solutions to just keep the boat floating."

Most of the company's production is back to normal but some administrative tasks are delayed, the company said. Mr. De Vliegher said he could keep a crisis team working on the investigation into the summer and perhaps until year's end as the probe continues. The attack has so far cost the company 300 million to 350 million Norwegian Krone ($35 million to $40 million), it said last month. Norsk Hydro hasn't paid a ransom, the company's chief financial officer said last month.

It is particularly difficult to investigate the attack because the virus made surprising moves, researchers said. For example, it logged users out of company systems and made it impossible for them to log back on.

"If you can't log in to see the ransom message, it doesn't really look like ransomware. It looked more like destructive wiper malware," said Earl Carter, a threat researcher at Talos, Cisco Systems Inc.'s cybersecurity group.

For recovery work, Mr. De Vliegher rearranged staff and deployed new security tools. His team is also building tools internally, with some funds redirected from other projects. Remediation is taking a toll on employees, who now rotate tasks with overworked colleagues, he said.

Three weeks in, Mr. De Vliegher's team doesn't have all the answers it seeks.

Investigators don't know how attackers accessed the system but do know that the attackers disguised themselves as legitimate users on the network, he said.

"LockerGoga, the virus in itself, is not rocket science," he said. "The sophistication of the attack is more in what they have done in order to get to the point where they can deploy the virus."

Hackers using LockerGoga need some knowledge of a target company's systems to infect computers manually because the virus can't be deployed remotely, said Rik Ferguson, vice president of security research at Trend Micro Inc., which isn't involved in Norsk's recovery effort.

LockerGoga hit three other industrial companies recently, cybersecurity researchers said. French engineering firm Altran Technologies SA was attacked in January and U.S. chemical companies Hexion Inc. and Momentive Performance Materials Inc. in March. Representatives for Hexion and Altran didn't respond to questions about LockerGoga. A Momentive spokeswoman declined to comment.

Mr. De Vliegher reorganized parts of his security team into groups focused on forensics and security issues related to networks and Microsoft Corp. products.

The team is deploying new security tools such as endpoint monitoring systems and a new policy for how applications access company networks. Mr. De Vliegher declined to provide details about the specific technology changes.

Some of these changes were easier to make than they might have been on a typical day, he said. The work would have required disabling operations for one week or longer, he said.

"We've been using this crisis to rebuild the setup as world class," he said.

When he learned of the cyberattack, Mr. De Vliegher cut short a trip to Brazil to return to Norway. The company's chief executive officer's first questions were about the magnitude of the attack and which business units were hit, Mr. De Vliegher said.

The company's ability to switch its operations into manual mode highlighted the importance of having the ability to override automated systems, he said, "because technology will fail."

"The biggest worry is not week one or week two. It's really when one month has passed and your most critical people are totally exhausted and recovery has still quite a way to go," he said.

Write to Catherine Stupp at Catherine.Stupp@wsj.com

(END) Dow Jones Newswires

April 11, 2019 02:47 ET (06:47 GMT)

Copyright (c) 2019 Dow Jones & Company, Inc.