Norsk Hydro Outage May Have Been Destructive State Attack

The crippling ransomware attack on Norsk Hydro may have been a state-backed attempt to disrupt rather than extort money, and as such provides a “blueprint” for how similar future campaigns may work, Dragos has warned.

The security vendor’s principal adversary hunter, Joe Slowik, claimed in a new report that the new version of LockerGoga seen in the attack on the Norwegian aluminium giant last year could be a taste of things to come on the cyber-warfare battle front.

While previous state-sponsored destructive ransomware efforts like NotPetya can at best be described as a “blunt tool,” the Norsk Hydro attack was more subtly disruptive, he said.

For example, the new version of the ransomware seen in the latter attack appeared “to work at cross-purposes to monetize the infection.” Local user and administrator account passwords were changed to the same hard-coded value, the system network card was disabled and all logged-in users were forcibly logged out.

“The above chain of events means that systems were not only encrypted but became inaccessible. Even viewing the ransom note associated with the event would require additional work, such as forensically imaging the machine to recover the note from disc or analyzing the malware,” Slowik explained. “While viewing ransom information is certainly possible, such items seem curious and counterproductive for efficient monetization.”

Adding further deniability for state hackers is the fact that financially motivated ransomware attacks are taking place with increasing frequency today, providing perfect cover for those who want to use modified versions of the powerful malware already in use, he continued.

“As ransomware has e ..

Support the originator by clicking the read the rest link below.