Security Market Segment LS
Friday, 22 March 2019 08:56

Norwegian firm attack likely through Microsoft Active Directory: claim Featured

Norwegian firm attack likely through Microsoft Active Directory: claim Pixabay

The Windows network at the Norwegian aluminium maker Norsk Hydro was probably infiltrated by attackers who planted the LockerGoga ransomware using something like scheduled tasks or services in Microsoft's Active Directory, a British security expert says.

Kevin Beaumont, who followed the whole episode of infection and also looked carefully at the company's response, said in a detailed blog post that his speculation about the route into the Norsk Hydro system was backed up by an assessment by the NorCERT, the computer emergency response team in Norway.

For this, the attackers needed remote access, and how they gained this was a puzzle that Beaumont said the company could help solve by releasing some of the incident response information later as it would help protect other companies from a similar intrusion.

Beaumont noted that a few weeks before the Hydro calamity, he had pointed out that despite a LockerGoga attack on a French firm,. Altran in January, most endpoint security anti-malware solutions could not detect this strain.

"I actually detonated the ransomware myself on several real world endpoints (in isolated fashion — as you’ll learn later it doesn’t self-replicate too) and I couldn’t find an endpoint security tool which actually triggered a detection (although Cisco’s ThreatGrid sandbox technology did classify it as Generic Ransomware)," he wrote.

Norsk Hydro announced on Wednesday that it had been hit by the Windows ransomware late on Monday evening. The company provided a steady stream of information about what had happened and held regular media briefings about its progress in sorting things out.

On Thursday, the firm said it had called in experts from Microsoft and other security partners to help get business critical systems back to normal.

Beaumnont said once inside the Hydro network, the attackers must have had Domain Admin rights to carry out their plan.

"Usually in companies it is extremely easy to get this access, despite the industry hard selling a range of privileged access management tools, by simply:

  • "fishing logins out of memory using Mimikatz
  • "taking passwords from Active Directory Group Policy Preferences — they’re often right there in the XML files. It’s the go to, bread and butter of ‘Red Teams’.
  • "Pass The Hash attacks and surf around the entire network using the same local administrator passwords because almost nobody deploys Microsoft Local Administrator Password Solution."

Once an attacker had become an Active Directory administrator, it was possible to place the ransomware executable in a place where every system in an organisation could reach. Under normal circumstances, a firm's firewall universally accepts Active Directory traffic internally.

"Bingo, you have the keys to the kingdom  –  the only thing stopping you now is security controls around endpoint malware, and as we already established those won’t detect LockerGoga at the time of the attack," Beaumont said.

Detailing the impact of LockerGoga, he said:

  • "It ends up using every CPU core and thread during encryption and is very, very fast. This is because it spawns hundreds of executables for encryption. Within a few minutes, an average system is toast.
  • "Additionally, some technical blogs mention a list of file types that are encrypted which only includes things like Office files — I can say first-hand that it also encrypts system files such as .DLL files. across the C: drive. Since it is deployed as administrator level using Active Directory, it has full control of all files.
  • "It depends on the version being run (on VirusTotal you can see different LockerGoga executables with different features) but newer versions use netsh.exe to disable all network cards after encryption is done.
  • "It then changes every local administrator account password.
  • "It then logs you off, using logoff.exe."

Beaumont was full of praise for the way Norsk Hydro had managed the incident. "Organisations should look at how Hydro disclosed and dealt with the issue so far in the public arena,." he said.

"It looks like it may be a textbook example of how incident response should be done, with transparency and openness. Not only the public and media perception went well, but the business end went well too  –  people didn’t sell off shares because they felt genuinely informed and that Hydro had a dire situation under control."

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News