Norwegian aluminum producer Norsk Hydro hit with large ransomware attack

The ransomware that struck Norsk Hydro IT systems is known as LockerGoga, a nascent strain that first surfaced in January.

The IT systems of Norsk Hydro, a top global aluminum producer, were hit with ransomware early Tuesday, forcing the company to temporarily suspend production at some plants, the company and Norwegian authorities said.

The ransomware that struck the company is known as LockerGoga, a nascent strain that first surfaced in January, according to Norway’s federal cybersecurity agency (NSM in Norwegian).

In a statement, the company, which had a market cap of over $12 billion last year, said it is “working to neutralize the attack, but so far does not know the full extent of the situation.”

In a press conference, Hydro CFO Eivind Kallevik said the attack started in its U.S.-based plants, but did not specify any further details on how the malware spread. The company has aluminum remelting facilities in Henderson, Kentucky, and Commerce, Texas. It also has offices in Baltimore.


Kallevik said the company has taken measures to contain and neutralize attack, including switching its industrial control systems to a “manual mode” inside numerous plants.

“Our main priority is to run safe operations,” he said.

Norway’s incident responders have been mobilized. The NSM said it had deployed technical teams to help Norsk Hydro. Norway’s Computer Emergency Response Team has put out a call for information on similar security incidents, and considers the incident at Norsk Hydro “ongoing,” according to the NSM.

“This is a very early stage,” said Mona Strøm Arnøy, NSM’s communications director, according to local news outlet NRK. “We assist Hydro in incident management and analysis, but it is too early to draw any conclusions.”

LockerGoga first appeared earlier this year, when researchers tied it to an attack on French technology consultancy Altran Technologies.


Kallevik said the company is focused on restoring normal operations as soon as possible, but did not give an estimate on how long the process would take. He expects the company to restore operations through backups.

“We have good backup solutions and good routines for that in the company, and that is the main target for how to get operations back to normal,” Kallevik said.

When asked if the company would pay the ransom, Kallevik said the company is concentrating on restoring via backups at this time.

The attack comes as the company announced Monday that it has named a new CEO. Svein Richard Brandtzaeg, who had been Hydro’s CEO since 2009, will be replaced by Hilde Merete Aasheim, a head of one of the company’s units. According to Reuters, the executive change is due in part to an issue at its plants in Brazil that have been shut down due to a Brazilian court order.

Greg Otto contributed to this report. 

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts