53July 27, 2020haveactivecyberweaponsprograms,
includingChina,NorthKorea,Russia,
andtheU.S.
FIN6’ssignatureweaponisa virus
calledLockerGoga,namedafteroneof
thefilesburiedinitsmalware.There
aredozens of variants of the soft-
ware,andHydro thinkstheattack-
ersdeployedmorethanonewithinits
network,makingit hardertoexpunge
fromthecompany’ssystems.
Ransomware hackers generally
penetratecomputersmoreorlessat
random,thenusea self-propagating
softwareprogram—a worm—to work
their way deeper into the corporate
network. But in Hydro’s case, the
attackers gained access by hijacking
a legitimate email from an Italian cus-
tomer. The customer had attached a
file, which the hackers modified. When
the file was opened, on Dec. 5, it exe-
cuted malicious code, allowing the
invaders access to the entire network.
They waited until March to launch their
attack. The company doesn’t know if
the hackers first compromised the
customer or if the message was inter-
cepted and changed in transit.
Hydro wasn’t the first industrial
company to be hit by the LockerGoga
virus. A French engineering company,
Altran Technologies SA, was struck
in January 2019. Later that year, U.S.
chemical companies Hexion Inc. and
Momentive Performance Materials Inc.
received copies. Large industrial com-
panies aren’t conventional ransomware
targets, leading some computer secu-
rity researchers to wonder if the attacks
wereaboutsabotageratherthangreed.
InadditiontoencryptingHydro’s
computers,theviruschangedthepass-
wordofeveryadministratoraccount,
logged those accounts out, then
restartedeach computer,making it
harderforemployeestoevenseethe
ransomnote—whichdidn’tincludea
specificdemandformoney,oreven
theaddressofa Bitcoinwallet.There
wasjustanemailaddress.Ofcourse,
theseidiosyncrasiescouldhavebeen
dreamedupbyFIN6tomakeNorsk
executivesfeelmorevulnerable,says
CharlesCarmakal,seniorvicepresi-
dentforcybersecurityfirmMandiant.
Norsksaysthere’snoevidencethehack-
erswantedanythingotherthanmoney.
InvestigatorsatKripos,Norway’s
equivalentoftheFBI,andEuropol,the
EU’slawenforcementagency,arestill
siftingthroughterabytesofdatafrom
thehack.They’renotespeciallyopti-
misticaboutmakinganarrest.Cyber-
crime groups use encrypted apps
andtakepaymentincryptocurrency,
making traditional policing tools, such
as wiretaps and search warrants, use-
less. On top of that, the cross-border
nature of crime creates mountains of
paperwork to retrieve evidence that
may be stored on servers in another
country. “The criminals can commu-
nicate freely without law enforcement
being able to read what they are say-
ing,” says Knut Van Jostein, the prose-
cutor leading the investigation.Back at Hydro’s headquarters, the
emergency response team spent weekslockedinsidea conferenceroomas
theyrebuilttheentirenetworkfrom
scratch.Theywereparanoid about
any further intrusions, so even the
cleaning staff was barred from enter-
ing. De Vliegher says the room got very
messy. “This is the most secure room
we have, so we don’t want anyone to
leave whatever spy pens and micro-
phones and stuff behind,” he says in
an interview in Oslo.
Recovery meant creating a safe
zone of computers that definitely
didn’t have the virus and slowly mov-
ing other machines that had been ver-
ified as clean over to the new network.
Progress was slow. Three weeks after
the attack, Hydro had a total of four
functioning PCs in all of the U.S.
Employees in France set up a make-
shift assembly line to build new, non-
infected PCs, and created a sort of
bucket brigade to transport PCs across
Europe. Workers drove to a gas station
in the middle of the country to swap
infected computers for clean ones. At
a plant in Magnor, east of Oslo, pen-
sioners who lived nearby came out of
retirement to help with printing and
sorting orders.
Hydro executives are grateful the
loss was just $60 million. In the darkest
days following the hack, some feared
they’d fall so far behind on orders it
would sink the entire company. “We
came out of it stronger because of all
the 35,000 people that worked over-
time, weekends, changed jobs. Nobody
complained,” De Vliegher says. “But in
a company where that willingness is
not there, it’s lethal.”
Things were mostly back to nor-
mal when a Bloomberg Businessweek
reporter visited last September, but
the company still hadn’t fully recov-
ered. In Magnor, employees had lost
access to the software that runs its
production line. Luckily, a similar
plant in Denmark was spared, and
an employee there sent a copy of the
program on a flash drive. The staff
electrician in Magnor, who moon-
lights as an IT support guy, figured
out how to install the new copy. The
software works well enough, though
it’s all in Danish.◀ Norsk Hydro’s
Cressona plant