Why the Norsk Hydro attack is a ‘blueprint’ for disruptive hacking operations

A year on, a researcher asks: Could the Norsk Hydro attack have been state-sponsored?
Norsk Hydro
Workers at the Norsk Hydro power operations in Røldal-Suldal, Norway. (Norsk Hydro / Anders Vindegg / Flickr)

It’s been a year since malicious code tore through the computer network of Norwegian aluminum giant Norsk Hydro, forcing the company to shift some of its operations to manual mode and inflicting tens of millions of dollars in damage.

The ransomware attack brought a global manufacturing powerhouse to its knees, and with it more questions than answers about the hackers’ motivations. Attackers targeted a company with good security practices, yet used code that would have made it difficult to collect their extortion fee. Norsk Hydro never paid, a spokesman said.

Now, an investigation published Monday argues that the LockerGoga ransomware variant could have been designed to disrupt rather than to extort — to lock up the enterprise and throw away the key.

Regardless of who was behind the Norsk Hydro attack, it provides a “worryingly effective blueprint” for state-backed hackers to hide behind malware associated with criminals to achieve their goals, says Joe Slowik, adversary hunter at industrial cybersecurity company Dragos.


The Norsk Hydro attack “opens up a fuzzy space between something as blatantly obvious as a state-sponsored disruptive event like NotPetya, and the mass of criminal ransomware events that we see day in, and day out,” Slowik told CyberScoop.

A history of disruption

The hack at Norsk Hydro came two years after the seminal 2017 ransomware and wiperware attacks, WannaCry and NotPetya. Those digital assaults, which U.S. officials and security researchers have attributed to North Korea and Russia, respectively, caused billions of dollars in damage to the global economy. With NotPetya in particular, the malware cascaded out of control, even hitting Russian companies.

The ability of state-affiliated hackers to hide behind criminal tools has grown, in part because of the plausible deniability that comes with that.

In 2015, hackers likely affiliated with the Russian government used a version of a hacking tool previously available on the criminal underground as part of a cyberattack that cut power for some 225,000 people in Ukraine. Relying on available malware, rather than signature hacking techniques, helps attackers cover their tracks, and avoid possible retribution.


Based on the available evidence, Slowik couldn’t conclude whether the Norsk Hydro attack was state-sponsored or the work of an independent criminal entity. It very well could be the latter. Ransomware strains such as LockerGoga could be accessed by multiple sets of criminal hackers — without a state-sponsored entity involved.

The LockerGoga variant used on Norsk Hydro was, however, more subtle and controlled than the indiscriminate chaos of NotPetya. It forcibly logged users off their machines and hard-coded administrative passwords — features that added disruptive capabilities to previous LockerGoga samples, Slowik said.

Another possibility is that the Norsk Hydro attacker “thought they were making ransomware that would bring a company to its knees and force them to pay, but went too far and made it impossible for victims to pay,” said Allan Liska, a ransomware analyst at threat intelligence company Recorded Future.

“Sometimes new ransomware actors don’t fully consider the ramifications of their actions,” Liska said.

A ceaseless investigation


The security community has praised Norsk Hydro for its transparency in response to the attack. But more generally, the threat of being sued by victims or sold short by insurers means a lot of companies are keeping attack data under wraps. The less data that is available to researchers, the harder it will be for them to trace the motivations of ransomware attackers.

Slowik and others are trying to shake more of that data loose to warn about the growing ability of attackers to weaponize ransomware. More threat data will be key to differentiating a criminal ransomware attack from one with a government’s fingerprints.

Norsk Hydro hasn’t investigated who was responsible for the attack, a spokesman said, but reported it to Norwegian authorities.

The company has rebuilt its IT network. Like any large company, though, Norsk Hydro continues to face myriad intrusion attempts.

“After the major cyberattack we saw last year, we experienced increased traffic and attempts to break into our system, along with more common examples of fraud,” Norsk Hydro spokesman Halvor Molland said.


The information Norsk Hydro shared about the attack helped other companies block similar hacking attempts, Norwegian officials have said. They are still investigating.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts