52
BloombergBusinessweek July 27, 2020Instead, De Vliegher oversaw a
fitful recovery from the attack, impro-
vising with ancient PCs, fax machines,
Post-it notes, and all manner of other
analog technology. The response illus-
trates the painful reality that security
consultants and law enforcement offi-
cials often bring up: Even when you
do everything you can to protect your-
self from a cyberattack, a determined
adversary will almost always be able to
wreak havoc. In other words, it’s less a
question of how to stop hackers from
breaking in than how to best survive
the inevitable damage.On the night of the attack, De Vliegher
had just landed in Belém, Brazil,
where Hydro has a large presence.
As soon as he heard computers had
been encrypted, he took the first
flight home. By the time he made it
back to Hydro’s corporate headquar-
ters in Oslo, a team of five specialists
from Microsoft Corp. was there, work-
ing to diagnose the problem and fig-
ure out how to restore the company’s
data. Employees had taped handwrit-
ten notes to the doors warning others
not to turn on any phones connected
to the company network.
Hydro needed to alert customers,
suppliers, employees, and investors,
but the company’s website was down.
So at 9:42 a.m. the day after the hack, an
employee on the communications team
used his personal cellphone to make a
post on the company’s Facebook page:
“Hydro is currently under cyber attack.
Updates regarding the situation will be
posted on Facebook.”
Next, Hydro had to make sure
employees got paid. Banks were refusing
to communicate digitally with the com-
pany, fearing that whatever had infected
its network would spread to them next.
Payday in Brazil was two days away, and
5,000 employees there were expecting a
check. De Vliegher came up with a solu-
tion: He copied the previous month’s
paychecks from an external payroll sys-
tem, removing the employees who’d
been fired or quit in the meantime. “It
was about 90% accurate,” he says.
Of all the many operations Hydro
has around the world, from the bauxitemines in Brazil to the hydroelectric
power plants in Norway (hence the
name), the damage was worst in
Cressona, Pa., where the company
operates its largest aluminum plant.
The Cressona facility was built by the
U.S. government during World War II to
make aluminum for weapons; it has a
sawtooth roof that was designed to con-
fuse enemy bombers into thinking they
were looking at ripples on a lake. The
plant is run by Michael Hammer, who
started there 25 years ago in accounting
and stayed on as it was passed among
different owners. (Hydro acquired
Cressona in 2017.)
It was dinnertime in Pennsylvania on
March 18 when Hammer got a call from
Hydro’s vice president for risk manage-
ment. “Get your folks to the plant,” he
remembers the VP saying. “Print out as
much stuff as you possibly can before
they start pulling the plug on the serv-
ers.” Hammer had experienced brief out-
ages before. Maybe someone down the
road ran their car into a power line, he
thought, figuring the plant would come
back online in a few hours.
He knew it was bad as soon as he
arrived and saw workers frantically
unplugging computers. Then he read the
ransom note. “I didn’t even know what
the hell Bitcoin was,” he says.
Under normal circumstances, his
plant employs 1,180 people, runs
24/7, and produces more than 2.6 mil-
lion pounds of finished aluminum a
year. Walking through it today, you
can feel the heat from the furnaces
where recycled metal is melted down
and reformed into large cylinders.
These are heated and pushed through
60-pound circular dies, transforming
them into components for such prod-
ucts as window frames and flooring.
Imagine pushing Play-Doh through a
cookie cutter. Customers include Tesla
Inc. and Ford Motor Co.
This kind of manufacturing predates
computers, but computers have made it
much more complex. Hydro has more
than 50,000 dies, and it uses software
to keep track of what’s being made and
to tell employees which die to pick off
the shelf. Without access to customer
orders, technicians had no idea what tomake. Hydro employees began calling
customers, asking them to text or send
orders to personal email accounts. With
the corporate email system down, plant
staff traded phone numbers and com-
municated by group text.
As the orders started to trickle in, the
only way for people on the plant floor
to know what to do was by reading off
a paper copy of each order. Luckily the
plant had a bunch of old computers in
storage, which Hammer set up in a war
room to print the forms. “We went over
to Staples, and we pretty much cleaned
them out of printers and paper and car-
tridges,” he says. Salespeople, whose
computers were also hacked, had noth-
ing to do, so Hammer had them strap
on safety gear and run paper orders to
workers on the plant floor.
Forthefirstweek,Hammerlivedat
theplant,occasionallytakingnapson
a couchinhisoffice.Losing access to
Hydro’s network also meant he wasn’t
able to pay his monthly bills to sup-
pliers, and they were calling to ask
where their money was. So he pulled
an old fax machine out of a closet and
asked suppliers to fax payment details,
which he then forwarded to Hydro’s
bank. The suppliers who still had fax
machines lying around got paid first.
Hammer is still searching for
answers as to who could have attacked
his plant and gotten away with it. “It
was a lot of manual stuff, a lot of long
hours, a lot of long days,” he says. “And
that pain was injected by an evil per-
son. It was a terrorist basically. And
what made it worse is it was nameless,
faceless. You don’t know where it came
from, how it got there.”Nobody has figured out who attacked
Hydro, but signs point toward an orga-
nized cybercrime group operating
with impunity somewhere in Eastern
Europe. The group made headlines last
year for hacking point-of-sale systems
to steal credit card numbers. Known to
security researchers as FIN6, it’s often
extracted Bitcoin ransoms in the hun-
dreds of thousands of dollars. “Fin” is
short for “financially motivated,” to dif-
ferentiate the gang from military hack-
ing units affiliated with countries that