Insights into the Norsk Hydro Cyberattack: Using AD in IT/OT Networks

March 25, 2019

If you've found this article interesting, please visit and follow Radiflow on LinkedIn, where you'll find a wealth of exclusive content. 

One of the world’s biggest aluminum producers, multinational manufacturer Norsk Hydro, announced it had been hit by a ransomware attack of unknown origin, with hackers demanding a ransom.

The attack caused severe damage to the corporate network by disabling network communications on every computer, encrypting files and changing local user accounts to prevent recovery procedures. Norsk Hydro’s incident response team isolated part of the production facilities moved some plants to manual or semi-manual operations and brought external IT and cyber security experts in to assist in investigation and recovery operations.

The analysis of the malware pointed to a rare seen ransomware named LockerGoga which was previously reported as being used in attack on French global engineering and consulting firm Altran in February 2019.

Even though most of cyber security community agrees that the Norsk incident response process was conducted professionally, the attack definitely affected manufacturing activities and caused overall business interruption and operational loss that is yet to be determined.

As part of the incident response process Norsk informed Norway CERT which later mentioned that the attack on Hydro was combined with an attack against its Active Directory (AD).  Also, LockerGoga malware which is reported to infect the Norsk Hydro network does not have the capability to spread in an automatic way so we can only wonder if some network built-in mechanism was exploited by the attackers. Although the exact incident details are still unclear, we will focus our analysis on this architectural issue.