Three large chemical manufacturing companies based in Norway and the US have fallen victim to ransomware attacks, after a program called LockerGoga gained access to systems, encrypted files and disrupted operations.

On 19 March the global aluminium producer Norsk Hydro was forced to shut down its plants and worldwide network after a security breach led to access to files being blocked and passwords changed to user accounts across several of its corporate and production control systems. The malware issued a ransom note stating that files had been encrypted and demanding payments in bitcoin to restore access to data.

The chemical, petrochemical and other relevant sectors are vulnerable to ransomware and other forms of malware

Parham Eftekhari, Institute for Critical Infrastructure Technology

A few days later, two US-based chemical companies – Momentive and Hexion – announced they had also been hit by cyber attacks and had shut down IT systems to contain the incidents. Both are owned by the public equity firm Apollo Global Management. According to an anonymous employee, who spoke to Motherboard, these attacks occurred earlier than the one on Norsk, on 12 March.

The same encryption program – called LockerGoga – is thought to be behind all three attacks. The Motherboard report says the wording of the ransom demand to Momentive was identical to that received by Norsk.

The incidents follow warnings from security experts that chemical companies are vulnerable to cyber attacks. Parham Eftekhari from the Institute for Critical Infrastructure Technology in the US tells Chemistry World ransomware infections have greatly increased over the past three years.

‘Ransomware is easy to deploy and it proves profitable if even one victim decides to pay,’ he says. ‘The chemical, petrochemical and other relevant sectors are vulnerable to ransomware and other forms of malware due to the convergence of Internet of Things and other automation technologies.’

He adds that LockerGoga is a relatively new and evolving ransomware, with dozens of variants. Investigators aren’t 100% sure how it got into the systems at Norsk, Momentive and Hexion. There are several possibilities, including stolen remote desktop credentials, phishing and targeting software that hasn’t been adequately updated or patched to improve security.

Aftermath

In the immediate aftermath of the incident Norsk was forced to switch to manual production at its plants. Staff at 40 offices and manufacturing facilities were told to disconnect devices from the network while security experts were brought in to fix the issue.

In a recent statement the company said the threat has now been contained and most operations are running at normal capacity – but that many industrial systems were still being run manually while backups were restored. It estimated the attack has cost NOK300–350 million (£27–31 million) so far, mainly because of having to shut down production in the extruded solutions unit, which produces aluminium components for building, electronics and transport industries.

Several commentators have praised Norsk’s response to the incident. Dale Peterson, an expert in industrial control system security (ICS), has said the case illustrates the importance of having the ability to recover from a cyber incident, as most ICS are ‘insecure by design’. ‘It appears that Norsk Hydro had an incident response plan, that included moving to manual operations, and the ability to recover,’ he says. In these cases, he adds, it doesn’t appear that there was any intention to affect the companies’ products or equipment, or threaten employees’ or customers’ safety.

Both Momentive and Hexion said in near-identical statements that the companies’ manufacturing processes, which rely on separate networks to the ones that were attacked, ‘have continued to operate safely, largely without interruption’ and that the incidents had primarily affected corporate functions. Both said they had ‘taken steps to restore network[s] and resume normal operations as quickly as possible’.

Momentive said it ‘took immediate action to contain the incident and has implemented its business continuity plan’. ‘The company has found no evidence that any customer, supplier or employee information was accessed or exfiltrated during this incident, or that any customer or supplier systems or data outside the company’s network have been impacted,’ it added.

Hexion said that when the incident was discovered, it ‘immediately took aggressive steps to isolate the issue by disabling certain systems and notifying the appropriate government authorities’, and was now working with customers and suppliers to minimise disruption.