Cyber Incident Victim: Element ASA
Date:
Sep 2022
Location:
Norway
Summary
Element Nor, a Norwegian concrete manufacturing company, was targeted by the Lockbit 3.0 ransomware group, which claimed responsibility for encrypting the victim's data and threatening to leak stolen information unless a ransom was paid. The company acknowledged the incident but declined to provide details, emphasizing it concerned partners rather than the public, while operations continued unaffected with normal production levels. Lockbit listed the organization on its dark web site, warning of imminent data publication, consistent with the group's tactics of extorting payments through encryption and exposure threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around September 20, 2022, Element Nor AS, a Balsfjord-based industrial company manufacturing concrete elements for construction, was publicly listed as a victim of the Lockbit 3.0 ransomware group on the threat actor’s dark web leak site. Lockbit 3.0, identified as one of the world’s most active ransomware operations at the time, claimed responsibility for the cyberattack. The group issued a threat to publish all exfiltrated data from Element Nor on September 23, 2022, unless unspecified ransom demands were met. Element Nor’s acting CEO, Michael Helmecke, confirmed awareness of the incident in a text message to Digi.no but declined further public commentary, stating the matter concerned the company’s partners rather than the general public. Helmecke, serving as interim managing director, avoided repeated phone inquiries. Factory manager Steinar Nordseth similarly redirected media questions to Helmecke but acknowledged during a phone call that production continued normally at the Laurasætra facility, with audible background noise corroborating operational activity.
The attack followed Lockbit’s standard ransomware model: data theft followed by file encryption, with decryption keys and non-disclosure of stolen data contingent on ransom payment. Element Nor’s public financial disclosures indicated robust pre-incident operations, with record 2021 performance including NOK 188 million in revenue, NOK 13.4 million profit, and approximately 50 employees. Local media reported full order books and strained production capacity prior to the attack. No operational disruptions were observed at the physical facility, and the company’s public communications minimized the incident’s significance. Lockbit’s dark web post provided no technical specifics regarding the breach’s scope, compromised systems, or data types threatened with exposure. Element Nor did not disclose whether ransom negotiations occurred, data backups were utilized, or whether the September 23 leak materialized. The company maintained a consistent posture of limited transparency throughout the incident’s public phase.