Hydro Hit by LockerGoga Ransomware via Active Directory
Aluminum giant Norsk Hydro has been hit by an attack that appears to have distributed ransomware to endpoints by using the company’s own Active Directory services against it.
Security experts say the strain of ransomware used against Hydro, called LockerGoga, is used in highly targeted attacks and in January was used to extort a French engineering firm.
Oslo-based Hydro, which is Norway’s second-largest employer, says the attack began Monday at a U.S. plant and spread to some of the other facilities it operates across 50 countries before being contained.
In response, the firm says it’s switched to manual processes in many factories, which has necessitated having many more employees working shifts in factories to maintain “safe and sound operations.” In addition to plants in Norway, Reuters reports that some plants in Qatar and Brazil were also being operated manually .
“The attackers at Altran and Hydro know what they are doing,” says British security researcher Kevin Beaumont (@GossitheDog). “It’s well organized extortion.”
On Wednesday, Hydro said it is still creating a recovery plan and as yet has no solid timeline for when it might be able to restore all affected systems
“Hydro’s technical team, with external support, has succeeded in detecting the root cause of the problems and is currently working to validate the plan and process to restart the company’s IT systems in a safe and sound manner,” Hydro said in a statement on Wednesday. “However, it is still not clear how long it might take restore stable IT operations.”
“Let me be clear: The situation for Hydro is quite severe,” Hydro CFO Eivind Kallevik told reporters at a Tuesday press briefing. But he emphasized that the company is planning to restore all affected systems from backups, rather than paying any ransom.
“The attackers at Altran and Hydro know what they are doing,” says British security researcher Kevin Beaumont (@GossitheDog). “It’s well organized extortion.”
On Wednesday, Hydro said it is still creating a recovery plan and as yet has no solid timeline for when it might be able to restore all affected systems
“Hydro’s technical team, with external support, has succeeded in detecting the root cause of the problems and is currently working to validate the plan and process to restart the company’s IT systems in a safe and sound manner,” Hydro said in a statement on Wednesday. “However, it is still not clear how long it might take restore stable IT operations.”
“Let me be clear: The situation for Hydro is quite severe,” Hydro CFO Eivind Kallevik told reporters at a Tuesday press briefing. But he emphasized that the company is planning to restore all affected systems from backups, rather than paying any ransom.
What Was ‘Root Cause’?
David Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements, has called on Hydro to publicly detail the “root cause” of the attack as quickly as possible, to help safeguard other potential victims.
“If this root cause includes identification of the method used to introduce the malicious code – either through end-user device comprise or remote access to servers – it would be great for the wider community if Hydro could share this information at an early stage,” Stubley tells Information Security Media Group. “By doing so, other organizations could take proactive steps to learn from this incident and avoid being subjected to similar attack.”
Hydro’s Response Earns Plaudits
Already, Hydro’s response has been earning plaudits from security experts, who have noted that the company had a disaster recovery plan in place, including excellent public outreach and transparency.
“While Norsk Hydro have been badly impacted by this attack it is good to see that they have been able to continue their business operations, although at a lower rate,” cybersecurity consultant Brian Honan, who heads Dublin-based BH Consulting as well as Ireland’s first computer emergency response team, IRISSCERT, tells ISMG.
“This attack is a prime example as to why you need to include your cyber-incident response plans with your business continuity plan,” he says. “In today’s business world companies need to look at how to remain resilient in the event of a successful cyberattack.”
Seeking Other Victims
Norway’s Computer Emergency Response Team has issued a public request for other victims to come forward.
“NorCERT warns that Hydro is exposed to a LockerGoga attack. The attack was combined with an attack on Active Directory (AD),” it says in its alert,
government-owned broadcaster NRK reports.
“NorCERT asks for information about others affected by similar events,” it adds. “NorCERT assists Hydro and the incident is considered ongoing.”
Norway’s National Criminal Investigation Service, called Kripos, says it learned of the attack on Tuesday morning via the country’s Joint Cyber Coordination Center, and has been assisting Hydro as well as liaising with the EU’s law enforcement intelligence agency, Europol. While Norway is not part of the EU, it is part of the European Economic Area, and in 2001 the country signed an agreement with the EU that allows it to participate in Europol (see No-Deal Brexit Threatens British Crime Fighting).
Kripos says it recently created a dedicated group, called NC3, to investigate hacking and data breaches.
What Is LockerGoga?
Multiple security experts have said that LockerGoga was previously used against Paris-based Altran in January.
After it was hit, Altran said in a statement: “To protect our clients, employees and partners, we immediately shut down our IT network and all applications.”
Following the attack, Bleeping Computer reported that LockerGogo was first discovered in the wild by the anti-ransomware researchers known as @MalwreHunterTeam.
Based on an analysis shared by the security researcher known as Valthek, BleepingComputer reported that LockerGogo’s code was “sloppy, slow, and made no effort to evade detection.”
MalwreHunterTeam on Tuesday reported that they’d found a new sample of LockerGogo that was uploaded to malware-identification service VirusTotal from a system in Oslo.
Targeted Extortion
Beaumont says LockerGogo is only used by attackers as part of one-off attacks.
“LockerGoga is only used in limited targeted attacks. It does not have a ‘spreader,’ it’s not like WannaCry or NotPetya. It has to be deployed by an attacker who already has admin access,” Beaumont said via Twitter.
Attackers can gain admin access to sites in a variety of ways. Security experts say one common approach is to purchase stolen or brute-forced remote desktop protocol credentials from cybercrime markets. Using RDP gives attackers remote access to an organization’s network, which they may spend weeks or months studying and raiding for sensitive data, before finishing with a ransomware to try and further monetize their efforts (see Stolen RDP Credentials Live On After xDedic Takedown).
Stubley at 7 Elements says many attacks appear to involve one group raiding an organization for intellectual property, then selling access to less-skilled attackers who deploy ransomware.
On Wednesday, security researchers reported that the code underlying LockerGogo is not related to Ryuk, which is another type of ransomware that has also been used in targeted attacks (see 11 Takeaways: Targeted Ryuk Attacks Pummel Businesses).
Hydro’s website remained unavailable on Tuesday. By Wednesday, it had been updated with a placeholder, suggesting that the company’s IT department had at least regained control of those servers, if not yet restored the underlying systems.
So, that’s all in this blog. I will meet you soon with some other stuff. Have a nice day !!!
Recommended content
RODC Installation Guide- Step by step guide to install read only domain controller
RODC Filtered Attribute Set
Installing and configuring a RODC in Windows Server-2012
How to find the GUID of Domain Controller
Group Policy Understanding Group Policy Preferences
Group Policy Verification Tool GPOTool Exe
Group Policy Health Check on Specific Domain Controller
What is Netlogon Folder in Active Directory
How to Create Custom Attributes in Active Directory
How Can I Check the Tombstone Lifetime of My Active Directory Forest
How to Determine a Computers AD Site From the Command Line
How to Check the Active Directory Database Integrity
How to Check the Active Directory Database Integrity
Disabling and Enabling the Outbound Replication
DFS Replication Service Stopped Replication
What is Strict Replication Consistency
The replication operation failed because of a schema mismatch between the servers involved
Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers
How to export replication information in txt file
Repadmin Replsummary
Enabling the outbound replication
Guys please don’t forget to like and share the post. You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.