Norsk Hydro Outage May Have Been Destructive State Attack

The crippling ransomware attack on Norsk Hydro may have been a state-backed attempt to disrupt rather than extort money, and as such provides a “blueprint” for how similar future campaigns may work, Dragos has warned.

The security vendor’s principal adversary hunter, Joe Slowik, claimed in a new report that the new version of LockerGoga seen in the attack on the Norwegian aluminium giant last year could be a taste of things to come on the cyber-warfare battle front.

While previous state-sponsored destructive ransomware efforts like NotPetya can at best be described as a “blunt tool,” the Norsk Hydro attack was more subtly disruptive, he said.

For example, the new version of the ransomware seen in the latter attack appeared “to work at cross-purposes to monetize the infection.” Local user and administrator account passwords were changed to the same hard-coded value, the system network card was disabled and all logged-in users were forcibly logged out.

“The above chain of events means that systems were not only encrypted but became inaccessible. Even viewing the ransom note associated with the event would require additional work, such as forensically imaging the machine to recover the note from disc or analyzing the malware,” Slowik explained. “While viewing ransom information is certainly possible, such items seem curious and counterproductive for efficient monetization.”

Adding further deniability for state hackers is the fact that financially motivated ransomware attacks are taking place with increasing frequency today, providing perfect cover for those who want to use modified versions of the powerful malware already in use, he continued.

“As ransomware has evolved from wildly propagating host-specific infections to more deliberate network compromise, malicious state-directed entities now have a new and valuable option for future disruptive operations,” Slowik concluded.

“The combination of efficacy (when properly implemented, deniability (due to continued widespread criminal activity), and specificity (as self-propagation gives way to precise network compromise) enables selective and controlled targeting of entities for disruption and effective IT-based destruction.”

Tackling this challenge will require greater industry-wide information-sharing, a rethink on the traditional bifurcation between criminal and state-sponsored activity, and an update of related economic modelling, the report claimed.

What’s Hot on Infosecurity Magazine?