On Monday, March 18, 2019, Norsk Hydro, one of the world’s largest aluminum producers, announced the replacement of its CEO, who had left the company through early retirement. This followed admissions that the company was responsible for a massive environmental spillage of bauxite residues at its plants in north-eastern Brazil in February 2018. As a result, a government-imposed shutdown of some of Norsk Hydro’s operations had seen aluminum production at its Alunorte refinery cut to just 50 percent of its capacity.
Late that same evening, the company’s IT team became alerted of a major cyberattack. At a press conference the following morning, it was the CFO rather than CEO who disclosed that IT systems in most Norsk Hydro business areas were impacted, including the digital systems at its smelting plants. Apart from switching to manual operations at its smelting plants, several metal extrusion plants had to be shut down. Acting resiliently to avoid infection from one plant to another, Norsk Hydro quickly isolated its plants.
The source of the infection was ransomware known as “LockerGoga” for a file path in its source code. It first appeared in January 2019, striking Altran Technologies – a French engineering firm, which is a leader in automotive cybersecurity. This ransomware has since evolved to achieve a level of sophistication beyond the norm. One example is the use of undocumented Windows API calls for communications.
But deployment of the ransomware is manual, and administrative privileges are needed for successful execution. Unlike WannaCry or NotPetya ransomware which self-replicate across networks and the Internet, LockerGoga can only be used in limited targeted attacks. However, exploitation of the central Active Directory server did allow the ransomware to infect all Norsk Hydro’s workstations at the same time.
With any cyberattack, there is much wider variability in loss outcome than for natural hazards because of the human dimension intrinsic to both attack and defense. On the defensive security side, Norsk Hydro kept their networks and admin systems under one domain, but thankfully this did not include their industrial control systems (ICS) or their Microsoft Office servers, which are based in the cloud. The ransomware enabled the changing of administrator passwords, and since most servers were under the same domain, the attack was able to spread much more rapidly than if there had been a mixture of network segmentation and separate administrated domains.
On the attacker side, the extortionists made it very difficult to pay the ransom; and there was little chance that an infected company could fully restore their systems if they did pay the ransom – which Norsk Hydro did not. There is currently no known way to unlock or decrypt the systems and files encrypted by LockerGoga.
So the primary objective of the hackers may not have been merely financial gain. Possibly, there may have been an environmental protection motive associated with toxic river pollution in Brazil. This might explain a relative lack of hacker tradecraft in the cyber weapon deployed. Given this weapon’s limitation and the possible superior variations available in security architecture, the insured loss outcome to Norsk Hydro might have been much less than the US$40 million estimate.
But counterfactually, the insured loss outcome might have been very much larger if the attack had been perpetrated by Chinese state-sponsored hackers, intent on damaging the aluminum production capacity of a major competitor. Ten percent of the world’s aluminium capacity outside of China came from the Alunorte refinery. A similar scenario could arise in the setting of a corporate transaction (merger, acquisition, or partnership) where a cyberattack such as this could be used to temporarily damage one of the players and thereby affect the transaction price.
Because LockerGoga has the capability for destructive erasure (“wiping”), it could have caused severe damage to industrial control systems, assuming it had network access, e.g. if it became necessary to do an emergency shutdown of critical plant leading to a very costly recovery operation. This scenario actually happened at a German steel mill in a cyberattack during the month of December 2014.
Attack motive remains a dominant human factor broadening the potential spread in cyber insurance loss. Neither the German steel mill attackers nor their motives are known. But it is very unlikely that this was a terrorist operation. As the world was reminded by the online publication of the manifesto of the Australian terrorist who attacked two mosques in Christchurch – terrorism is the language of being noticed. By contrast, it is quite routine for cyber criminals to remain anonymous, and accusations of state sponsorship of cyber attacks are dismissed as fake news.
Every notable event provides another building block for a catastrophe risk model. The Norsk Hydro attack again raises the issue of hacker motive as an insurance loss qualifier, and a factor in grading relative target likelihood.