<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1462084720533760&amp;ev=PageView&amp;noscript=1">
Skip to content
Right-Side-Virsec-Large Group-Dots-Light Sections
Jun 20, 2019 1:13:25 AM

Through a $40M LockerGoga Cyber Attack, Norsk Hydro Keeps its Good Reputation, Fights Back

From Execs who were transparent and employees who gave their all to get systems back online, Norsk Hydro sets a rare stellar example

This spring, the LockerGoga, a new ransomware, struck industrial and manufacturing firms, bringing to them great devastation. Aluminum manufacturer Norsk Hydro was among many and was particularly hard hit in March. Most victims received an email alerting them that their system has been taken over, similar to the message below. See additional details in our previous blog, LockerGoga Ransomware Slams Industrial Firms in Europe, Could Hit Anyone

LockerGoga ransomware note to users

Systems Down, Access Blocked By Ransomware

For Norsk Hydro, the attack began Monday night around midnight local time in Norway. Their IT systems were attacked and LockerGoga blocked IT from access. Downtime affected production and office operations, with most operations knocked out of commission, forcing them to resort to manual operations.

On March 19, Norsk had to cease normal production. Because hackers blocked them from their regular operations, Norsk employees began operating many units manually. This was successful for its primary metal production, but they had difficulty resuming function with a main production unit. They experienced issues globally at multiple sites. The loss economically due to the disruption was 350 million crowns (Norway currency), or $40M US dollars. Fortunately, Norsk Hydro had an insurance policy with a known company that helped offset this cost.

3 Ways Norsk Hydro Kept its Reputation During LockerGoga Cyberattack

When companies are hit with these cyber attacks, the safety of its people is the first concern. Next, safety of equipment is essential, followed by business operations. Integrity of production and fulfilling customer satisfaction come next.

In a separate category but something everyone will observe, a company must also take care of its reputation. Not due to self-preservation but because integrity matters in times of crisis. In most cyber breaches in recent years, companies have handled them in ways that have ranged from mediocre to abysmal. It’s rare when a company steps up and is honest about their experience in a cyber hack. Norsk Hydro is one of those rare companies.

The Need to Protect a Company’s Reputation

Mihaela Grad, VP of Standing Partnership corporate reputation management firm, laid out the aspects of Norsk Hydro’s response to LockerGoga that give lessons to us all. Her three key steps to protecting a company’s reputation, which Norsk Hydro followed, are below.

From Mihaela Grad, VP of Standing Partnership

Three Key Steps to Protecting Your Reputation During a Cyberattack

As indicated above, cyberattacks disrupt operations, cause financial loss and can also ruin corporate reputations. They bring about heightened scrutiny of the executive team’s reactions and decision-making under pressure, threatening to shatter shareholder and customer trust in a matter of hours.

• Did the company leadership do everything to minimize IT and OT vulnerabilities?
• What steps did they take to contain the damage?
• How are they handling the disruption to business and their customers’ businesses?

The answers to these questions can outlast the immediate impact of a cyberattack. So, what should companies do to prepare and how should they respond if they are hit by a one?

Crisis preparedness includes several foundational elements: a crisis response plan, a cross-functional response team and draft materials for the scenarios most likely to happen. Considering the growing sophistication of malware targeting industrial companies, cyberattacks should be one of the top 5 most-likely-to-happen scenarios.
Norsk Hydro’s response provided a textbook example of how to act well after the recent LockerGaga ransomware attack. Crisis response is immediate in nature and, when handled well, addresses not only the here and now, but also focuses on restoring long-term trust and minimizing reputational damage.

Here are three key steps to incorporate in your crisis response strategy:

Step 1: Be Transparent

Transparency fosters trust. When your stakeholders learn about all your efforts to prevent an attack and restore operations in the aftermath of an incident, they are more likely to give you the benefit of the doubt and continue doing business with you.
Norsk Hydro went above-and-beyond in its efforts to be transparent. Their executive team met with media and industry analysts every day for approximately a week after the attack to provide updates on their efforts to restore operations, and answer questions.

They posted daily updates on their website and social channels, and offered direct access to their media and investor relations representatives. No questions were off-limits, from the complexity of restoring operations to financial impact, and their collaboration with law enforcement officials.

Step 2: Engage with Stakeholders Through Normal Channels

Even during a crisis, it’s important to remember that your stakeholders are accustomed to hearing from your company in different ways. It is not enough to post information on your website. Your social channels need to be updated as well.
Press conferences or on-demand webcasts are a great way of informing stakeholders in various time zones. Legislative representatives, local officials and trade associations might expect direct outreach by phone.

Step 3: Communicate Frequently

A single update is not enough. As daunting as this sounds, it is critical to provide multiple timely updates on the impact of the cyberattack and on the steps taken to contain it. This demonstrates agility, integrity and transparency to your external and internal stakeholders.

You may want to consider devoting part of your website homepage to crisis management updates, storing them in chronological order to show progression. Continue to share developments until the consequences of the cyberattack have been fully addressed.

3 Ways Norsk Hydro Protected its Reputation During the LockerGoga Cyberattack

To assess and manage OT risk, and protect your corporate brand, preparedness is key. And, help is available. The experts at Standing Partnership deliver guidance on how to navigate cyber incidents with minimal damage to your reputation.

Paired with advanced technology that rapidly identifies malware and provides time-saving forensic assistance, your organization should be well equipped to weather the storm of a major cyberattack.

* * * *

Norsk Hydro’s Video Describing Their Experience with LockerGoga

In its efforts to be give the world a window into its experience, the company prepared a video that it shared on YouTube. It showed how employees at Magnor Extrusion in Norway were affected and the many ways they went above and beyond to help restore plant operations. One hundred sixty (160) of Norsk’s plants, including Portland, Oregon, 35,000 people in 40 countries were affected by the cyber attack. Thousands of employees worked around the clock to restore operations.

In employee words:

“With a tremendous effort of our colleagues at Magnor, the plant has managed to get production up to 100% of normal production, despite operating in normal mode.”

“It's in difficult times that people show their true colours. Our CEO @SRBrandtzag and the entire Hydro family works day and night to resolve the cyber attack that hit us last week.”

The Magnor facility’s Production Manager, Olav Schulstad, said people were very supportive and volunteered to help without even being asked. Frode Halteigen, Operator at Magnor, also talked about how the employees, even from the shop floor, sacrificed their personal time with family to help the company get back online. Halteigen was the first to notice something was wrong Monday night, when computer screens went red and error messages came up.

Norsk was also transparent by sharing videos describing how the company itself was affected and the ways it responded in the crisis. They say the attacks began in the US, where they have plants in three states – Oregon, Texas and Kentucky. They haven’t said at which one LockerGoga began.

Thanks to the dedication and quick thinking of its many employees, Norsk Hydro is recovering from the ordeal with the respect of its peers and a story to tell that’s filled with good lessons to be learned for all.

Norsk video, cyber attack on Hydro Magnor

Portland Hydro plant affected

Further resources:


LockerGoga Ransomware Slams Industrial Firms in Europe, Could Hit Anyone


At the recent S4 Conference for the ICS industry, Paul Forney, the Chief Security Architect for Schneider Electric, delivered a compelling presentation on how Schneider Electric reacted and took action against the TRITON attack last December.
Security Monsters Take on ICS Attackers (Triton Attack)

White paper:
Triton ICS Attack







Right-Side-Virsec-Large Group-Dots-Light Sections