At around midnight Oslo time on March 19, 2019, computers owned by Norsk Hydro ASA, a large aluminum manufacturer, started encrypting files and going offline en masse. It took two hours before a worker at its operations center in Hungary realized what was happening. He followed a scripted security procedure and took the company’s entire network offline—including its website, email system, payroll, and everything else. By then, a lot of damage was already done. Five hundred of Hydro’s servers and 2,700 of its PCs had been rendered useless, and a ransom note was flashing on employees’ computer screens.
“Greetings!” the note began. “There was a significant flaw in the security system of your company. You should be thankful the flaw was exploited by serious people and not some rookies. They would have damaged all your data by mistake or for fun.” The message instructed recipients to write to an email address to discuss an unspecified payment, which would have to be made in Bitcoin; in exchange, the hackers would provide an encryption key to reverse the damage.
Like most other large multinationals, Hydro had been at least aware of the possibility of attack. It had a cyber insurance policy, and it had tested its networks with “white hat” hackers—security consultants who attempt to break into a system to check its defenses. “I wouldn’t say we could keep the NSA out,” says Chief Information Officer Jo De Vliegher. “But we were a company with all the normal security in place.”
It wasn’t enough. Some 35,000 employees were locked out of the company’s network, and Hydro had to shut down several manufacturing plants in Europe and the U.S. The ones still operating had to figure out how to do so without any computers. In the end, the attack would cost the company more than $60 million—way more than the $3.6 million the insurance policy has paid out so far, according to an earnings report. It was, according to the prosecutor investigating the breach, the worst cyberattack in Norway’s history.
Despite all this, Hydro never considered paying the ransom, because the anonymous hackers could have just taken their Bitcoin and disappeared. Even if they’d provided the key—and even if the key worked— it would have sent a message that Hydro was an easy mark, leading to future attacks and more extortion.
Instead, De Vliegher oversaw a fitful recovery from the attack, improvising with ancient PCs, fax machines, Post-it notes, and all manner of other analog technology. The response illustrates the painful reality that security consultants and law enforcement officials often bring up: Even when you do everything you can to protect yourself from a cyberattack, a determined adversary will almost always be able to wreak havoc. In other words, it’s less a question of how to stop hackers from breaking in than how to best survive the inevitable damage.
On the night of the attack, De Vliegher had just landed in Belém, Brazil, where Hydro has a large presence. As soon as he heard computers had been encrypted, he took the first flight home. By the time he made it back to Hydro’s corporate headquarters in Oslo, a team of five specialists from Microsoft Corp. was there, working to diagnose the problem and figure out how to restore the company’s data. Employees had taped handwritten notes to the doors warning others not to turn on any phones connected to the company network.
Hydro needed to alert customers, suppliers, employees, and investors, but the company’s website was down. So at 9:42 a.m. the day after the hack, an employee on the communications team used his personal cellphone to make a post on the company’s Facebook page: “Hydro is currently under cyber attack. Updates regarding the situation will be posted on Facebook.”
You can read up to 3 premium stories before you subscribe to Magzter GOLD
Log in, if you are already a subscriber
Get unlimited access to thousands of curated premium stories, newspapers and 5,000+ magazines
READ THE ENTIRE ISSUE
July 27, 2020