Cyber Incident Victim: Norsk Hydro
Date:
Mar 2019
Location:
Norway
Summary
A major aluminum producer was crippled by LockerGoga ransomware, forcing global operations into partial manual mode and disrupting most business areas. The attack compromised IT systems, prompting a shift to manual processes with increased staffing to maintain minimal production losses while avoiding ransom payments through backup restoration. Though employee safety was unaffected and current customer orders remained processable, future requests faced potential delays due to widespread network outages, including the company’s inaccessible website. Response efforts prioritized securing operations, mitigating financial impact, and cleansing and reinstalling infected systems from backups with external support.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 18, 2019, Norwegian aluminum manufacturing giant Norsk Hydro detected an extensive cyber attack impacting most of its global business areas. IT staff identified the intrusion around midnight CET, triggering an immediate crisis response. The company publicly acknowledged the incident the following day, revealing it had been forced to transition multiple facilities to manual operations due to widespread system disruptions. External cybersecurity authorities, including Norway's NorCERT, linked the attack to LockerGoga ransomware through partner alerts, noting the malware's potential exploitation of Active Directory infrastructure for network authentication compromise. While NorCERT's head declined to confirm Active Directory targeting in Hydro's case, the Norwegian cybersecurity director publicly cited LockerGoga infection as a leading hypothesis during an 18-minute press briefing, emphasizing ongoing multinational efforts to gather malware intelligence.
Norsk Hydro's CFO Eivind Kallevik confirmed the ransomware's operational impact as "quite severe" during the press conference, though production losses remained minimal through rapid adaptation measures. Critical systems restoration relied on pre-existing backup solutions, with the company explicitly rejecting ransom payment as a recovery strategy. Affected facilities implemented manual workflows requiring expanded staffing across multiple shifts, while corporate communications shifted to Facebook due to the main website's inaccessibility (displaying 404 errors). Despite global network outages preventing new order processing, current customer commitments were fulfilled using alternative procedures. The organization maintained 24/7 response operations focused on three priorities: ensuring physical safety across production environments, containing financial and operational damage through system isolation, and executing comprehensive server cleansing followed by backup restoration. No employee or public safety incidents resulted from the attack, though prolonged network unavailability risked disrupting future order fulfillment capacity until full recovery.