Norsk Hydro, One of the World's Largest Aluminum Producers, Switches To Manual Operations After Ransomware Infection (zdnet.com) 76
Norsk Hydro, one of the world's largest aluminum producers, said today it has "became victim of an extensive cyber-attack" that has crippled some of its infrastructure and forced it to switch to manual operations in some smelting locations. From a report: The cyber-attack was later identified as an infection with the LockerGoga ransomware strain, the company said during a press conference. News of the cyber-attack broke earlier this morning in a message the company sent to investors and stock exchanges. "Hydro became victim of an extensive cyber-attack in the early hours of Tuesday (CET), impacting operations in several of the company's business areas," the company said. "IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible."
Install vector? (Score:4, Informative)
The company said the ransomware was planted on its network in late Monday evening
More like an employee who wasn't trained in identifying malicious e-mails got phished....
This is why, in addition to training, all Internet connected computers need to be behind proxies that don't allow executable downloads and application whitelisting should be enabled on the endpoints. There is just no other way to operate these days.
Re: (Score:3, Interesting)
Re:Install vector? (Score:5, Interesting)
Within the last hour I've received a few emails from our overarching IT group indicating some people have clicked a link in a fake email going around. One of the user's accounts has been disabled.
Like you, we all receive yearly training on what type of emails not to open or click links in yet people still do it.
Here's the best part. This email was quarantined by default (Microsoft Exchange) and the user still went ahead and released it so they could read it.
Re: (Score:3)
Re: (Score:2)
or if they are up the food chain ... they get a very strong put down by IT
Well obviously. I'm the CEO, *I* didn't click that button. That's why I have a secretary who prints out all of my emails for me. I even have her print it double-sided just to save paper!
Re: (Score:2)
Yeah... it took Microsoft to come along and make that joke into a reality.
In any sane world (not our current one), reading an email is perfectly safe.
Bullshit. Hasn't been that way for a long time. You have to click on something, be it a link, attachment, or "download images" for anything bad to happen.
In any sane world (not our current one), browsing a web site does not fetch and run scripts.
Yeah, I'll give you this one, but this is absolutely not a Microsoft thing.
Re: (Score:2)
You can read e-mail all day and be safe. There was a relatively short period of time when Outlook and Lotus allowed random execution of JS/Java from just reading e-mails, but that was short lived, and has long since been patched. Downloading and executing random attachments and clicking links to unknown websites are the only attack vectors left. And those aren't inherently an e-mail problem. Virus distributed within images hasn't been a thing for a while either, as far as I know.
I'll certainly agree tha
Re: (Score:3)
The "It'll never happen to me" belief is strong in people, even after it happens to them.
What are you talking about?? That's what the IT people are for. I just click the button to see the risque pictures. Last time I did, the IT people had to clean up a virus that got in somehow. When it was all over I clicked it again because I didn't see the pictures the first time. For some reason they were really mad that time.
Re: (Score:2)
there needs to be a way to enforce security
About 9 years ago, my boss called a meeting with all the personnel and very clearly stated that anyone responsible for a virus breach would have been fired immediately.
So far, none happened.
Re: (Score:1)
About 9 years ago, I bought a rock that keeps lions out of my yard.
So far, no lions.
Re: (Score:2)
In addition FSRM should be setup to monitor all shares for known crypto extensions (there are api calls to get a list of all of them) and when a computer is detected creating one of those files it should be immediately banned from the network.
Re: (Score:2)
Re:Install vector? (Score:4, Informative)
The problem is not so much message authenticity these days.
The scammers have worked around DMARC by just using legit mail senders and legit web hosts/file sharing services like SharePoint.com, Google Drive, etc.
So these days you get a message from a person you know who lost control of their e-mail account credentials. So the message passes SPF, DKIM and DMARC tests. The message contains a link to a legit file sharing site which passes blacklist link testing. The file hosted is a PDF which displays just fine in all modern web browsers because they all come packaged with a PDF reader. The PDF content emulates some kind of other legit service (docusign, etc) with a link to the actual, illegitimate, script-hosting malicious site.
Everything is on the up-and-up as far as all the e-mail filters are concerned and the content is convincing enough or at least familiar enough for it not to raise alarm bells in most users.
IT is a cost center (Score:2, Informative)
...until you realize that your profit centers rely on it.
Maybe develop control systems in Linux not Windows (Score:5, Insightful)
I have to wonder how many of these random malware infections of industrial machinery could be avoided by having all control systems running Linux.
Sure they could still be targeted by a dedicated hacker but at least you wouldn't have general mass-market malware accidentally get in and shut you down.
Maybe you could even use Wine to run existing control software and switch over today... I can't imagine the software they use is very sophisticated in terms of Windows API use.
Re:Maybe develop control systems in Linux not Wind (Score:5, Insightful)
In my experience, lots of factories are running Win95... maybe Win2000 if you're lucky.
I know of PLC aggregation / communication software that literally only exists on Windows, simply because that's what many factories run.
The reason for that is because the first big wave of making "smart factories" was in the late 90s.
And factories, by and large, never replace anything unless it has been fully depreciated... and sometimes, not even then.
Yes, that's why Wine (Score:3)
I know of PLC aggregation / communication software that literally only exists on Windows, simply because that's what many factories run.
Oh yes, I totally agree, I've seen the same thing.
That's why I'm saying, change the systems to run Linux and use Wine to run the software that is Windows only. Only question is what kinds of attached hardware they have that Linux would not support, but I was thinking most of it's probably variants of serial ports and it seems like if anything, obscure hardware cards would b
Re:Maybe develop control systems in Linux not Wind (Score:5, Interesting)
I still need to maintain a bunch of AT computers on MSDOS that run some old pipetting robots. It's how it goes.
Re: (Score:3)
Using a mass-market OS (Windows) for industrial machinery is just as stupid as using a toothpick to open a food can : not the right tool.
Re: (Score:2)
Re: (Score:3)
If the self-checkout terminal is configured as a POS, then it is still receiving security updates:
https://www.zdnet.com/article/... [zdnet.com]
Support goes through April 9, 2019, so time is running out.
Re: (Score:2)
Re:Maybe develop control systems in Linux not Wind (Score:5, Insightful)
Linux won't avoid this situation. The issue isn't OS, it's complacency.
I knew someone who ran a Linux video server on a hardened Red Hat system to monitor security cameras. He never gave it a second thought until his NOC called him at 3am on a Sunday to tell him they had pulled the network cable to his server because it was launching portscans against the rest of their network.
He did the post-mortem on the server and found the attacker got in through an old SSL vulnerability. He said it was a wake up call. Just because you are running Linux with non-essential services disabled, it's meaningless if you aren't applying security updates.
Re: (Score:3)
Do not disable SELinux.
Everything you say is true... but I have yet to figure out how you can do anything productive with SELinux. On the many control/command distros I run, it only causes heaps of strange and hard to diagnose problems, so I always disable it. I don't even know what that damn thing is supposed to DO...
Re: (Score:2)
This is why you run it in passive mode for a while and learn all the violations then whitelist those using the policy generating tools that come packaged with SELinux. It actually isn't that hard and is well worth the effort to learn how to use it.
Re: Maybe develop control systems in Linux not Win (Score:2)
Don't be ridiculous. Linux has the magic many eyes security system that means there are no security flaws. Anyone saying otherwise must be a Microsoft shill.
Re:Maybe develop control systems in Linux not Wind (Score:5, Interesting)
it may not be sophisticated, but my guess is that their PCs have special hardware components and drivers to run their production equipment that are not available in WINE or linux or even Win7.
These boxes should have been on sneakernet, it's really the only solution for something this important yet this vulnerable.
Re: (Score:3)
Re: (Score:2)
Linux wouldn't improve matters - OK i
Re: (Score:3)
I have to wonder how many of these random malware infections of industrial machinery could be avoided by having all control systems running Linux
My take on that is "all of them". I develop, install and maintain industrial control systems and I've refused to install anything on Windows since the early 2000. Most control/command or data acquisition software can be modified and recompiled for Linux (contact me if you want some quote!). Install a limited and ugly distro so users won't want to play games on it, tighten up the security, don't give the root password, don't put it on the 'Net without a double passworded firewall and you are good to go. Neve
SCADA (Score:3)
Lack of Air gaps?
USB thumb drive attack?
Dumb management control system design?
n a subsequent update posted on the company's Facebook page, Norsk Hydro said the cyber-attack did not impact "people safety" and that smelting plants across its vast international network were "running normally on isolated IT systems," although in a manual mode, without the aid of its computer controlled systems.
This ought to be really interesting.
Re: (Score:2)
Re: (Score:2)
be afraid, be very afraid.
Heavy water (Score:2)
So wait... don't the terrorists win, then? (Score:2)
What is the point? (Score:2)
Re: (Score:2)
Re: What is the point? (Score:4, Insightful)
I've been saying this since the 1990s (Score:3)
Instead we get Windows 10 with its forced automatic updates, which breaks the cardinal rule of business equipment - "If it ain't broke, don't fix it."
Re:I've been saying this since the 1990s (Score:4, Insightful)
And even a RO OS can be hacked: they find the user/passwd, they do login, install their botnet, run it until you notice (I have uptimes of YEARS), and when you reboot OK it's gone, but you've still been hacked. Airgap is the only real way to go. Multiple successive (and different) external firewalls is an acceptable alternative.
Re: (Score:2)
Re: (Score:2)
I think you just described SELinux...
Re: (Score:2)
Welcome to the promised age of IoT (Score:2)
Welcome to the promised age of IoT! No, there is no free lunch. Please pay your monthly ransom on time.
Re: (Score:2)
Re: (Score:2)
So why is this corp. connected to net? (Score:1)
Why is there not a real air gap between the Intertoobs and Norsk Hydro? Same can be said about infrastructure like power gen and grid controls, and numerous other big things that could suffer massive damage from some anus or state actor.
Sure, I get that, for example, in power generation, it makes the job of coordinating the systems over a wider area substantially easier. They have to control how much power they add to the regional grid, keep the output freq ~60Hz, etc. Of course, they did t