The IT systems of Norsk Hydro, a top global aluminum producer, were hit with ransomware early Tuesday, forcing the company to temporarily suspend production at some plants, the company and Norwegian authorities said.
The ransomware that struck the company is known as LockerGoga, a nascent strain that first surfaced in January, according to Norway’s federal cybersecurity agency (NSM in Norwegian).
In a statement, the company, which had a market cap of over $12 billion last year, said it is “working to neutralize the attack, but so far does not know the full extent of the situation.”
In a press conference, Hydro CFO Eivind Kallevik said the attack started in its U.S.-based plants, but did not specify any further details on how the malware spread. The company has aluminum remelting facilities in Henderson, Kentucky, and Commerce, Texas. It also has offices in Baltimore.
Kallevik said the company has taken measures to contain and neutralize attack, including switching its industrial control systems to a “manual mode” inside numerous plants.
“Our main priority is to run safe operations,” he said.
Norway’s incident responders have been mobilized. The NSM said it had deployed technical teams to help Norsk Hydro. Norway’s Computer Emergency Response Team has put out a call for information on similar security incidents, and considers the incident at Norsk Hydro “ongoing,” according to the NSM.
“This is a very early stage,” said Mona Strøm Arnøy, NSM’s communications director, according to local news outlet NRK. “We assist Hydro in incident management and analysis, but it is too early to draw any conclusions.”
LockerGoga first appeared earlier this year, when researchers tied it to an attack on French technology consultancy Altran Technologies.
Kallevik said the company is focused on restoring normal operations as soon as possible, but did not give an estimate on how long the process would take. He expects the company to restore operations through backups.
“We have good backup solutions and good routines for that in the company, and that is the main target for how to get operations back to normal,” Kallevik said.
When asked if the company would pay the ransom, Kallevik said the company is concentrating on restoring via backups at this time.
The attack comes as the company announced Monday that it has named a new CEO. Svein Richard Brandtzaeg, who had been Hydro’s CEO since 2009, will be replaced by Hilde Merete Aasheim, a head of one of the company’s units. According to Reuters, the executive change is due in part to an issue at its plants in Brazil that have been shut down due to a Brazilian court order.
Greg Otto contributed to this report.