Get Hacked, Gather Troops, Go Manual & Rebuild. Communicate by Facebook, FAX & Personal EMAIL

Bloomberg Businessweek July 27, 2020 pp50-53 “Breakthrough Technologies For Surviving a Hack”. “How a big manufacturer beat ransomware attackers without paying the ransom”. By William Turton.

Norsk Hydro ASA, a Norwegian firm, that manages hydroelectric dams and other businesses had their business hacked March 19, 2019 via the LockerGoga virus by a financially motivated group known as FIN6. The note from FIN6 read “Greetings! There was a significant flaw in the security system of your company. You should be thankful the flaw was exploited by serious people and not some rookies. They would have damaged all your data by mistake or fun.” The message asked for ransom in the form of Bitcoin. The virus shutdown systems and even changed passwords of key IT operators to evade initial detection. Hydro refused to pay ransom being unsure of the outcome, not understanding or trusting Bitcoin and believing that paying was strategically and ethically wrong.

Instead they dug-in, leaders getting their hands dirty and getting their 35,000 employees engaged including sales staff. Under the guidance of CIO Jo De Vliegher, Hydro immediately shutdown all computer systems and servers. They immediately went into full manual mode, communicating broadly by FaceBook, relying on data from third-party payroll systems to pay workers, paying vendors based on receiving FAXed invoices, resurrecting old PCs-printers-fax machines and by using personal EMAILs to and from clients for specifying which of 50,000 dies was needed to fabricate specific aluminum products in their Cressona, PA plant. Meanwhile they created a locked-down “War Room” to recode while others worked off-site, in France, to build new IT hardware that would be brought online when approrpriate.

By September their IT operations were mostly back-to-normal. Despite Hydro's industry-standard cybersecurity, FIN6 had apparently used a legitimate customer's EMAIL, to attack with the LockerGoga virus. They modified an attachment and when that was opened "it executed a malicious code, allowing the invaders access to the entire network."

To Hydro's credit, by communicating well, using manual work-arounds and great teamwork, they maintained an acceptable level of aluminum product delivery. Insurance paid-out $3.6M and they were able to absorb a loss estimated at $60M.