The search is on for Hydro hackers

Bookmark and Share

An international investigation is underway to get to the root of this week’s extensive cyber attack on Norwegian industrial concern Norsk Hydro. The partially state-owned company remained mostly offline Wednesday morning, but Hydro officials claimed they were making progress in restoring “secure and stable” operations.

Aluminum production at Hydro’s plant in Holmestrand was affected by the cyber attack, but it could shift over to manual production, also at Karmøy. PHOTO: Hydro ASA

Interpol has joined the investigation into the major attack that set off alarms at Norway’s state police, both the country’s military and police intelligence agencies and Norway’s national security authority NSM.

“We have a coordinating mechanism among the agencies,” Bente Hoff, acting director for Norway’s National Cyber Security Authority (NSM NorCERT), told state broadcaster NRK. The goal is to establish how hackers infected Hydro’s systems, and who’s behind them.

Hoff said NSM NorCERT was “working with many milieu in this case,” including law enforcement agencies and “partners abroad.”

Tech team got help
Hydro’s own technical team also received help from international data experts to stop the spread of the virus that shut down Hydro’s systems with a demand for ransom to get them back up again.  “The virus has been isolated and isn’t spreading further within our systems,” Hydro’s finance director Eivind Kallevig told newspaper Aftenposten. “The central issue was to find the infected servers so that we could cleanse them.”

The company issued a press release Wednesday morning reporting that the team had discovered the reason for the problems and was now working “to validate a plan and process for restarting the company’s IT systems in a safe and responsible manner.” The company still couldn’t say, however, when that would occur.

Asked whether Hydro had received a concrete ransom demand, Kallevig responded that “what’s normal is such situations is that there are open text files in which someone asks for ransom money. We haven’t spent any time on that, nor has there been any request for a certain amount.” Kallevig had declared on Tuesday that Hydro would not pay any ransom money.

‘Most operations normal’
While calling the attack “serious” at a press conference Tuesday afternoon, he seemed to downplay it later by claiming that it had not done much damage. “Most of our operations are running as normal,” he told Aftenposten. “What’s critical now is to maintain good, secure and safe operations for our employees and minimize risk. At the same time we need to find the key to how we can get rid of the virus and reinstall our ordinary IT systems.”

He admitted that administration and production tasks were made “more difficult” because Hydro’s network was shut down. In Norway, the company’s aluminum plants at Karmøy on the West Coast and in Holmestrand southwest of Oslo were most affected. They shifted over to manual operations to keep production going.

Hoff noted that it wasn’t the first time a Norwegian company had been subjected to such an attack. “A crypto virus is nothing new, this has happened several times and not all of the attacks are made public,” she said. “But it seems this one is bigger that those we’ve seen before.”

newsinenglish.no/Nina Berglund