A digital attack that spread from the U.S. to Norway is a stark reminder that even simple digital attacks from low-level hackers can produce major disruptions to people's daily lives and international commerce.
The ransomware attack against Norsk Hydro, one of the world’s largest aluminum manufacturers, stopped production at numerous plants and forced others to switch from digital to manual operations. Company employees had to communicate using cellphones and tablets because they couldn’t access their computers, Hydro officials said.
Hydro was warning visitors with a printed sign not to connect any cellphones or other devices to its networks:
And the hack had broader financial consequences, too: A dip in the company’s stock price sparked concerns about the attack's impact on broader aluminum markets.
That’s the sort of menace that cyber experts typically worry might be caused by a highly-skilled government-backed hacking group bent on damaging a national adversary — but, not this time. Most public evidence suggests this attack was the work of low-level criminal hackers just trying to make a buck.
“So much of our time is spent talking about nation states, criminal syndicates and highly advanced persistent threats, and that’s not what happened in this instance,” Chris Cummiskey, a former Homeland Security Department cybersecurity official who now leads Cummiskey Strategic Solutions, told me. “It sounds like just theft and greed to generate revenue.”
The Hydro attack serves as a reminder, Cummiskey said, that as manufacturing and related sectors increasingly rely on digital and automated systems, they’ll also be increasingly vulnerable to hacking by a whole range of criminal groups — and if those hackers get lucky they can be massively disruptive.
“It does point out that there are these glaring holes, and despite [government and industry’s] best efforts, you just can’t close all of them,” Cummiskey said.
It’s also a warning that cyberattacks far outside the traditional sectors that give heartburn to top government officials — financial services, energy, telecommunications and health care — can be deeply destabilizing, Tod Beardsley, research director at the cybersecurity firm Rapid7, told me.
"[Hydro's] a company that doesn’t leap to mind as a tech company, but the fact that a ransomware attack like this can have a direct effect on real-world commodity prices is surprising and sobering," Beardsley said. The company’s stock price later rebounded Wednesday morning.
The attack against Hydro, which employs about 35,000 people in 40 countries, began with a ransomware virus targeting a U.S. plant that locked and encrypted some files Monday night — essentially turning their contents to gibberish unless the company agreed to pay a ransom.
The infection spread from there to numerous other systems, the company’s chief financial officer Eivind Kallevik said during a news conference yesterday alongside the Norwegian National Security Authority.
“Let me be clear: The situation for hydro . . . is quite severe,” Kallevik said. “The entire worldwide network is down, affecting our production as well as our office operations.”
Kallevik declined to say if Hydro will consider paying the ransom. He did say the company has backed up most of its data and that its “best case” would be to use those backups to restore normal operations once the company’s confident the virus is out of its systems. The hackers have asked the company to contact them about a ransom, but they have not requested a specific sum of money yet, Kallevik said.
Overall, cybersecurity experts gave Hydro high marks for its handling of the ransomware strike on Twitter.
Despite the global slowdown, the fact that the company could resume operations manually suggests that the hackers were not able to jump from its office computers to the specialized technology that runs the plants’ machines, Rendition InfoSec principal consultant Jake Williams noted.
If this is a case study in anything, it's that:— Jake Williams (@MalwareJake) March 19, 2019
1. Manufacturing networks are notoriously insecure
2. Even still, OT wasn't directly infected
Let's call that second one a win.
Cybersecurity researcher Kevin Beaumont praised the company's crisis response for quick action and transparency:
Gotta say Hydro's public facing response has been incredibly good - open, quick, transparent with customers (and public & employees), seniors on camera talking about issues. Wishing them a speedy recovery. I'm in this BBC News piece: https://t.co/QMdeidD3TM— 🦀 Kevin Beaumont 🐝 (@GossiTheDog) March 19, 2019
That transparency likely helped maintain shareholder's confidence in the company, Beaumont suggested.
Note that despite being extremely open about the scale of the issues with public and media and putting execs in front of streams talking about an “extreme” situation, Norsk Hydro’s share price is fine. Compare that to where companies have hidden and minimised things. pic.twitter.com/8WzrOq2Xsd— 🦀 Kevin Beaumont 🐝 (@GossiTheDog) March 20, 2019
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Homeland Security Department cybersecurity officials plan to visit with European allies soon to share what they learned defending the 2018 midterm elections against Russian hackers, CyberScoop’s Sean Lyngaas reported.
The visit comes after Russian hackers allegedly tried to interfere in the French vote in 2017.
“What we’re doing is taking some of the ’16 and ’18 lessons learned, packaging them together, and then doing a bit of a roadshow,” said Chris Krebs, who leads DHS’s Cybersecurity and Infrastructure Security Agency, according to CyberScoop.
“Details of the trip are still being finalized, but Krebs said it also would offer CISA officials an update from the field on adversary activity ahead of the 2020 U.S. presidential election,” Cyberscoop reported.
PATCHED: The scientific journal publisher Elsevier may have exposed the emails and passwords of many of its academic users, Motherboard’s Joseph Cox reported.
The compromise was the result of a misconfigured server that left the information exposed on the public internet. “It’s not entirely clear how long the server was exposed or how many accounts were impacted, but it provided a rolling list of passwords as well as password reset links when a user requested to change their login credentials,” Motherboard reported. That could allow hackers to take control of users' journal accounts -- or other accounts where they use the same or similar passwords.
Elsevier fixed the server after Motherboard alerted it and said it would notify users whose information was exposed. The publisher said it had no indication any passwords were actually viewed by hackers.
PWNED: Bloomberg is tallying the worst corporate hacks of all time. Yahoo takes first place on that list for its 2013 compromise of 3 billion user records. It also takes second place for a separate compromise of 500 million records in 2014. Both those breaches weren’t publicly reported until 2016.
Other top blasts from the data-breach past include Marriott’s 2014 breach (reported in 2018) and, of course, the Equifax breach in 2017.
Check out the full list here.
Cybersecurity news from the public sector:
Cybersecurity news from the private sector: