Three large chemical manufacturing companies based in Norway and the US have fallen victim to ransomware attacks, after a program called LockerGoga gained access to systems, encrypted files and disrupted operations.
On 19 March the global aluminium producer Norsk Hydro was forced to shut down its plants and worldwide network after a security breach led to access to files being blocked and passwords changed to user accounts across several of its corporate and production control systems. The malware issued a ransom note stating that files had been encrypted and demanding payments in bitcoin to restore access to data.
A few days later, two US-based chemical companies – Momentive and Hexion – announced they had also been hit by cyber attacks and had shut down IT systems to contain the incidents. Both are owned by the public equity firm Apollo Global Management. According to an anonymous employee, who spoke to Motherboard, these attacks occurred earlier than the one on Norsk, on 12 March.
The same encryption program – called LockerGoga – is thought to be behind all three attacks. The Motherboard report says the wording of the ransom demand to Momentive was identical to that received by Norsk.
The incidents follow warnings from security experts that chemical companies are vulnerable to cyber attacks. Parham Eftekhari from the Institute for Critical Infrastructure Technology in the US tells Chemistry World ransomware infections have greatly increased over the past three years.
‘Ransomware is easy to deploy and it proves profitable if even one victim decides to pay,’ he says. ‘The chemical, petrochemical and other relevant sectors are vulnerable to ransomware and other forms of malware due to the convergence of Internet of Things and other automation technologies.’
He adds that LockerGoga is a relatively new and evolving ransomware, with dozens of variants. Investigators aren’t 100% sure how it got into the systems at Norsk, Momentive and Hexion. There are several possibilities, including stolen remote desktop credentials, phishing and targeting software that hasn’t been adequately updated or patched to improve security.
In the immediate aftermath of the incident Norsk was forced to switch to manual production at its plants. Staff at 40 offices and manufacturing facilities were told to disconnect devices from the network while security experts were brought in to fix the issue.
In a recent statement the company said the threat has now been contained and most operations are running at normal capacity – but that many industrial systems were still being run manually while backups were restored. It estimated the attack has cost NOK300–350 million (£27–31 million) so far, mainly because of having to shut down production in the extruded solutions unit, which produces aluminium components for building, electronics and transport industries.