Security Market Segment LS
Friday, 22 March 2019 08:56

Norwegian firm attack likely through Microsoft Active Directory: claim Featured

Norwegian firm attack likely through Microsoft Active Directory: claim Pixabay

The Windows network at the Norwegian aluminium maker Norsk Hydro was probably infiltrated by attackers who planted the LockerGoga ransomware using something like scheduled tasks or services in Microsoft's Active Directory, a British security expert says.

Kevin Beaumont, who followed the whole episode of infection and also looked carefully at the company's response, said in a detailed blog post that his speculation about the route into the Norsk Hydro system was backed up by an assessment by the NorCERT, the computer emergency response team in Norway.

For this, the attackers needed remote access, and how they gained this was a puzzle that Beaumont said the company could help solve by releasing some of the incident response information later as it would help protect other companies from a similar intrusion.

Beaumont noted that a few weeks before the Hydro calamity, he had pointed out that despite a LockerGoga attack on a French firm,. Altran in January, most endpoint security anti-malware solutions could not detect this strain.

"I actually detonated the ransomware myself on several real world endpoints (in isolated fashion — as you’ll learn later it doesn’t self-replicate too) and I couldn’t find an endpoint security tool which actually triggered a detection (although Cisco’s ThreatGrid sandbox technology did classify it as Generic Ransomware)," he wrote.

Norsk Hydro announced on Wednesday that it had been hit by the Windows ransomware late on Monday evening. The company provided a steady stream of information about what had happened and held regular media briefings about its progress in sorting things out.

On Thursday, the firm said it had called in experts from Microsoft and other security partners to help get business critical systems back to normal.

Beaumnont said once inside the Hydro network, the attackers must have had Domain Admin rights to carry out their plan.

"Usually in companies it is extremely easy to get this access, despite the industry hard selling a range of privileged access management tools, by simply:

  • "fishing logins out of memory using Mimikatz
  • "taking passwords from Active Directory Group Policy Preferences — they’re often right there in the XML files. It’s the go to, bread and butter of ‘Red Teams’.
  • "Pass The Hash attacks and surf around the entire network using the same local administrator passwords because almost nobody deploys Microsoft Local Administrator Password Solution."

Once an attacker had become an Active Directory administrator, it was possible to place the ransomware executable in a place where every system in an organisation could reach. Under normal circumstances, a firm's firewall universally accepts Active Directory traffic internally.

"Bingo, you have the keys to the kingdom  –  the only thing stopping you now is security controls around endpoint malware, and as we already established those won’t detect LockerGoga at the time of the attack," Beaumont said.

Detailing the impact of LockerGoga, he said:

  • "It ends up using every CPU core and thread during encryption and is very, very fast. This is because it spawns hundreds of executables for encryption. Within a few minutes, an average system is toast.
  • "Additionally, some technical blogs mention a list of file types that are encrypted which only includes things like Office files — I can say first-hand that it also encrypts system files such as .DLL files. across the C: drive. Since it is deployed as administrator level using Active Directory, it has full control of all files.
  • "It depends on the version being run (on VirusTotal you can see different LockerGoga executables with different features) but newer versions use netsh.exe to disable all network cards after encryption is done.
  • "It then changes every local administrator account password.
  • "It then logs you off, using logoff.exe."

Beaumont was full of praise for the way Norsk Hydro had managed the incident. "Organisations should look at how Hydro disclosed and dealt with the issue so far in the public arena,." he said.

"It looks like it may be a textbook example of how incident response should be done, with transparency and openness. Not only the public and media perception went well, but the business end went well too  –  people didn’t sell off shares because they felt genuinely informed and that Hydro had a dire situation under control."


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments