Norway’s leading private and publicly owned companies are deepening their collaborative cyber defence relationship with national security agencies in the wake of two massive ransomware attacks on Norway-based businesses.
The Norsk Hydro attackers demanded a ransom of €51m to “disinfect” the group’s global IT systems of malware. This followed a similar attack on Norwegian software company Visma last autumn.
The attack on Norsk Hydro’s core IT infrastructure caused serious disruption to its administration systems and key production areas. The financial cost of the attack is still being assessed, but an early estimate by the part state-owned group indicates that the final bill could exceed €46m.
Norsk Hydro’s preliminary cost analysis is based on profit margins on lost output and the need to shut down a number of manufacturing lines that were affected by the attack. Most of the company’s industrial product manufacturing and energy production operations had been restored to normal or near normal levels by the end of April.
The cyber attack also caused delays to a range of Norsk Hydro’s administrative functions and processes, including systems for reporting, billing and invoicing. On the production side, the attack forced the company to switch to manual operations where feasible, pending efforts by the group’s IT security unit to neutralise the assault.
The severity of the attack is reflected in Norsk Hydro’s decision to delay the release of its first-quarter results until June. The interim figures will include costs and losses sustained by all areas of the company’s operations that were hit by the attack.
“Maintaining normal or near normal production levels requires a lot of extra effort from all our personnel,” said Eivind Kallevik, Norsk Hydro’s chief financial officer. “This is a large company with 35,000 employees and operations in 40 countries and all continents. The attack impacted several thousand servers across the company. A full recovery is a complex and time-consuming process. Returning IT operations to a fully normalised setting takes time.”
The attack has left Norsk Hydro with the time-consuming task of systematically rebuilding its group IT systems and security infrastructure, which is being coordinated in partnership with Microsoft.
The work is being supported by cyber and IT security experts from among the company’s other IT services partners and national cyber security agencies. A fundamental task is to revert virus-infected systems back to a pre-infected state.
“Working with Microsoft and our other IT security partners, we were able to take all the necessary actions in a systematic way to get business-critical systems back into normal operation,” said Jo De Vliegher, CIO at Norsk Hydro.
The attack caused many of the company’s IT systems to be shut down, not because they were infected, but in order to contain the virus and prevent it from spreading further, said De Vliegher.
“We needed to cure the infected parts of our network before reopening the healthy parts,” he added.
The cyber assault on Norsk Hydro followed a similar attack on Oslo-headquartered IT services company Visma in the autumn of 2018. Norway’s national security authority, NSM, believes there is a high probability that China was behind the attack on Visma – a view that is shared by Visma’s own external cyber defence experts.
The NSM is now issuing more regular warnings to Norwegian companies to scale up their risk assessment and IT defences against the higher frequency of more sophisticated cyber attacks and threats by “foreign intelligence services”. The threat is increasingly targeting public and private companies that have oversight of critical infrastructure and extensive customer databases.
A forensic analysis of the March attack on Norsk Hydro is being conducted by an inter-agency team of cyber security experts, working with the company’s own in-house cyber security department, at Norway’s Joint Cyber Coordination Centre (JCCC).
The agencies involved include the NSM, the Norwegian Intelligence Service (NIS), the National Criminal Investigation Service (Kripos) and the Norwegian Police Security Service (PST). The NIS is the Norwegian Defence Force’s main intelligence unit and comes under the jurisdiction of the Ministry of Defence.
Vidar Sandland, a senior adviser to the Norwegian Centre for Information Security, said the cyber attacks on Norsk Hydro and Visma underline the need for a coordinated national approach to businesses’ preparedness, and building capacities to counter malicious cyber threats.
“In the case of the data breach at Visma, we have seen this kind of attack before,” said Sandland. “Those behind such attacks tend to target companies delivering critical IT services to businesses. Attackers seem to have access to the login information for the IT systems they are targeting.”
With about 900,000 customers across Scandinavia and Europe, Visma is one of Norway’s biggest cloud computing companies. The cyber attack on its IT system was detected quickly, enabling the company to block the intrusion and protect clients’ systems and data.
In what the NSM judges to be a case of industrial espionage launched by China, the hackers were able to capture internal encrypted passwords linked to a number of Visma employees. Using this channel, the attackers gained access to, and appropriated the user names and passwords of, almost all of Visma’s 8,500 personnel. However, the company’s IT security unit was able to neutralise efforts by the attackers to break the encryption shield protecting staff names and passwords.
Visma is the type of company that is an increasingly attractive target for hackers, said Torgeir Waterhouse, director of internet and new media at IKT, which represents Norway’s IT industry.
“Companies in Visma’s industry area generally have a substantial database of information, ranging from HR files to contracts and accounts,” he said. “This is the type of usable information that interests hackers. The intention is to capture as much data on the company being hacked as well as their clients.”